Increasingly, companies are exploring a more "active defense" approach to cyber security, while preparing for an entirely new set of threats to medical data, connected vehicles, mobile payments, and Interne of Thing, as well as emerging technologies like "wearables." Traditional incident response – the rapid deployment of a team to remediate breaches to a network, identify additional threats and restore functionality – is necessary, but no longer sufficient. The connectedness of our cyber network demands intelligence-driven tools and processes that equip leaders with an anticipatory edge.
“When it comes to data security, the fundamentals have changed,” said Bill Stewart, executive vice president at Booz Allen and leader of the firm’s commercial cyber business. “News of a large-scale data breach is nearly an everyday occurrence, while the scope and long-term damage associated with cyber incidents are escalating.” U.S. data breaches hit a record high of 783 in 2014 according to the Identity Theft Resource Center, a 27.5 percent year-over-year increase.
“The companies we speak with are tired of chasing the problem: they want to do better than fight the next battle with the last war’s plan,” said Bill Stewart. “Looking ahead, we see both new, daunting risks and a shift in how companies tackle the cyber security challenge.”
Emerging trends include:
Internet of things expands cyber “attack surface” – For enterprise IT managers, cyber threats have existed in largely two dimensions – behind the firewall and beyond. But with the Internet of Things, cyber risk now stretches across a third dimension. Employees may come to work with a compromised wearable device, or pull their hacked connected vehicle into the company parking lot. This creates a new type of cyber risk for organizations – with significantly increased complexity and exposure. As the Internet of Things increases the cyber “attack surface,” companies must broaden defenses to include the plethora of embedded devices that now make up their ecosystem.
“Proactive defense” becomes best practice – Recent corporate victims of cyber attacks have one thing in common: they all thought they were prepared. Tired of being a step behind, companies will gravitate to a more active, anticipatory approach to preparedness and defense, one that looks over the horizon at emerging criminal patterns and active threat actors. We will see more organizations take an “intel to operations” model that enables companies to use real-time intelligence and threat assessment data to shape decision-making, fine-tune defenses and preempt emerging threats. “It’s a shift similar to what took place in natural disaster response, where use of predictive weather data enables communities to take preventive measures before the storm hits,” said Stewart.
“Incident response” hype meets reality – The cyber market is crowded with companies that market an “incident response” capability in the event of a data breach. Yet is there enough experienced cyber talent to staff up all of these companies? Do these offerings include the right balance of multidisciplinary expertise necessary to be successful (e.g., Crisis Communications, Legal, Policy, Business and Technical)? Expect CISOs and other corporate leaders to take a more discerning look at the latest incident response offers; the people behind them, and their step-by-step methodology. Their goal should be to position their firms to successfully navigate an incident and prevent negative repercussions.
Preparedness moves beyond dollars, compliance – Companies are devoting significant resources to building up their cyber defenses – and often quantifying those steps in dollars spent and compliance achieved. Yet as data breaches multiply and their reach broadens, scrutiny of preparedness will shift away from the “how much” to the “how” and “who.” How many people are engaged? What are their backgrounds? What software tools are being used? cyber security will continue to evolve from a compliance issue to a strategic, business-critical priority. This will trigger a greater interest in “what’s under the hood.”
Embedded security is now an undeniable requirement – It is a new necessity that presents a competitive opportunity. As internet connectivity touches everything from light bulbs to vehicles and electric turbines, cyber security and risk management increasingly must be accounted for when designing and producing products. And with end users increasingly concerned about privacy and data security, strong embedded security becomes a market enabler, differentiating a company and its products in a competitive market.
The c-suite rethinks cyber response – To date, the CIO or CISO has taken the reigns (and, too often, the blame) when a cyber crisis hits. Yet as companies understand the inevitable business impact of a cyber event there is movement to a new model. For example: adding a business leader within the c-suite with the explicit role of driving data breach response activities across all facets of the organization. A move a way from the current approach of assigning this job to a technology executive. Fueling interest in a different approach: workforce changes, new, emerging threats, and constantly evolving “best practice” response tactics.
Source: Booz Allen Hamilton
Timely, incisive articles delivered directly to your inbox.