In this special guest feature, Steve Conway from IDC writes that the cybersecurity threats post real danger to the U.S. private sector, despite best practices that are available today.
Today, these same threats have been extended to a newer type of stored value: the vast volumes of data that describe and help maintain critical infrastructures — national security systems and power and communications systems — along with sensitive business data pertaining to customers, suppliers, and other parts of the corporate ecosystem.
The findings of a recent IDC study on the cybersecurity practices of U.S. businesses reveal a wide spectrum of attitudes and approaches to the growing challenge of keeping corporate data safe.
While the minority of cybersecurity “best practitioners” set an admirable example, the study findings indicate that most U.S. companies today are underprepared to deal effectively with potential security breaches from outside or inside their firewalls. There was a frequently cited belief among the interviewed firms that they would inevitably be breached, yet many of the firms seemed content to wait until then to focus harder on cybersecurity. Rated best at cybersecurity were large firms in the financial services, retail, life sciences, and technology sectors.
The study findings imply that the U.S. private sector is more exposed to cybersecurity threats than it needs to be, given the best practices that are available today. The situation will improve substantially only in response to more pervasive, serious breaches — and it’s likely that breaches will become more frequent and damaging during the next 10 years.
The companies said it can take two years or more to detect a successful breach — meaning that they may already have been breached without realizing it. Hence their emphasis is more on the side of forensics to identify and respond to breaches.
The worst practitioners up their insurance coverage rather than improving security. This transfers financial risk to the insurers but does little to safeguard the companies’ most valuable assets — their reputations — in the event of a serious breach. It’s not unusual to benchmark cybersecurity defenses only against those of direct competitors, in the belief that being harder to breach than rivals will ward off cyberattacks. This is akin to the camper’s argument to his companion: “I don’t need to outrun the bear; I only need to outrun you.” The problem is that some attackers are smarter than the average bear and are not focused only on one industry.
The best practitioners view cybersecurity as a talent contest that pits the attackers’ brains against the best cyber minds in their company. For this reason, they pay top salaries for the best cybersecurity talent in the market. They have detailed plans in place for responding to a serious breach, including communications procedures that map out who contacts whom (including the media) in what sequence, how to cut over to replicated data needed for business continuity, and so forth.
Few of the surveyed U.S. companies altered their cybersecurity practices in the wake of highly visible, damaging breaches such as those that affected Sony Pictures and Target Corp. The prevailing attitude favored getting more serious only after your own firm has been breached. Also, most of the surveyed companies worried more about potential attacks from outside than about the possibility of employee misbehavior.
Large companies with many locations, such as national retailers and banks, are highly exposed to cybersecurity attacks because their attack surfaces are spread out and hard to control. The best practitioners in this group strive to air gap systems wherever practical — that is, isolate them from network connectivity.
There was a time when corporate cybersecurity officials stressed the standardization of employee IT devices to make security and technical support easier — only one or two device profiles to worry about. Standardization may make it easier for companies to control security, but reliance on only one or two device types also makes it easier for hackers to maximize access and damage once they’ve gained entry into a company’s network. It’s akin to the ease with which Dutch elm disease can spread when an urban boulevard is planted with nothing but elm trees.
Standardization still happens at many firms, but today standardization is typically accompanied by heterogeneity — the ability of employees to access their corporate networks via a growing list of devices they select themselves, especially tablet computers and smartphones. The competitive need for today’s employees to be “always available,” even when mobile, has brought about this major acceptance of the trend toward BYOD (bring your own device).
The best practitioners realize that when your business model is tightly coupled to other companies, such as suppliers, your security risk escalates. These firms also realize that they can’t afford to cover all the bases adequately, so they zero in on suppliers and others that can access high-value data — that includes customer credit card numbers and social security numbers.
Applying advanced analytics to cybersecurity holds great promise but is still in its infancy. One area where analytics is already making substantial headway is fraud and anomaly detection.
The best practitioners don’t rely primarily on IT experts for forensics. Instead, they hire ex–law enforcement officials who have deep practical experience in investigative methods for tracking down criminals and identifying their behavior patterns to mitigate repeat attacks.
In sum, the study on the cybersecurity practices of U.S. businesses reveals a wide spectrum of attitudes and approaches to the growing challenge of keeping corporate data safe. The findings indicate that most U.S. companies today are underprepared to deal effectively with potential security breaches from outside or inside their firewalls, but the best practitioners show that there are already ways to improve the odds of averting attacks, or surviving them with less damage.
In related news, the upcoming HPC User Forum will include talks on Machine Learning/Deep Learning, HPC Cloud Computing, US and European Initiatives, Climate Research, IDC Market Update, and more. Register now.