Image source: Flickr CC user Martin Terber
Recent security research shows that businesses simply don’t realize the extent to which they can use real-time monitoring to identify intrusions before they become a threat. A Forrester poll shows most businesses don’t even realize real-time security is a thing and a report from EY shows the same misconceptions abound. The lack of knowledge on this issue gives us yet another reason to demand a CISO have board-level visibility at every major company.
EY’s Global Information Security Survey 2014 tells a distressing tale. Most organizations have only made modest security improvements following the rash of data breaches in 2013 and 2014, and many aren’t even aware of the level of security tools available to them. EY describes a static security model that has not responded to an ever-changing threat landscape.
According to EY, businesses treat security as a “bolt-on” feature – something to be implemented after other considerations have been made. They fail to include the value that strong security adds to business models. Organizations tend to focus on the current environment when assessing risk, failing to think about how that may change in the future.
By changing security features based on the current legal landscape and using compliance as a driving factor, companies tend to believe they have a dependable ruler to measure their security. Unfortunately, the numbers on that ruler are wrong. Companies can be 100 percent compliant with the law, but laws take time to come into existence, while companies with static models sit vulnerable, waiting for an act of Congress.
Forrester’s Edward Ferrera calls this environment one of “fear, uncertainty, and doubt (FUD).” But he also agrees with EY’s assessment, noting, “I am one analyst that is reluctant to paint information security with the fear, uncertainty, doubt (FUD) brush, but after reading the EY report I am not sure that FUD is inaccurate.” Forrester’s own research shows that many companies don’t even know real-time security is an option.
Most Companies Couldn’t Detect a Cyber Breach
According to EY, 56 percent of organizations are unlikely to have the tools needed to detect a sophisticated attack. Other sobering findings include:
- Insufficient Tools – 74 percent of organizations admit that their cyber security programs don’t fully meet their needs.
- Failure to Focus on What’s Next – 56 percent aren’t focused on emerging technologies.
- No Central Command – 42 percent have no central security facility.
- Lack of Visibility – 37 percent have no access to real-time security data that could uncover a potential attack.
- In the Dark – 36 percent have no program in place to gather intelligence on emerging threats.
With these distressing figures in mind, EY recommends companies take a mature security approach that activates vital, standard security measures, focuses on staying adaptable to the changing threat landscape, and implements proactive security to help anticipate and thwart attacks.
An Ideal Security Model Already Exists
EY’s recommendations make a good analogy for the human immune system, by the way. Humans have a static immune system that monitors the environment for threats, which represents the “activate” step of the EY approach. Implementing essential security protocols creates the “static” immune system, with a standard set of security controls that all systems should have.
But human immune systems also have adaptive capabilities, calling on other resources to deal with new threats. Companies must make security an integral component in all business operations if it is to function properly. They should be regularly engaged in gathering intelligence on potential threats and analyzing the environment for necessary changes.
This is also part of the “anticipate” step in creating a mature security model. Companies should know the data that will be most desirable to hackers and anticipate a high potential for attack. Finally, they must have strong incident response programs in place, knowing exactly what to do if a breach occurs. By modeling security after the living human disease defense model, companies can greatly increase the level of protection. When you begin thinking about security and your defenses as living, breathing entities, you become better at thinking about risk in a way that puts agility and forethought into your program.
Use HyTrust to Build a More Mature Security Model for Your Business
Use HyTrust’s policy-based administrative controls and auditing to help your security program become more responsive and reliable. From sophisticated access controls to cloud encryption and key management, HyTrust offers security solutions so organizations can build and maintain security that is active, agile, and anticipatory.
Contact HyTrust today to learn more.