Here’s what Samson David, the senior vice president and Global Head Cloud, Infrastructure Services and Security at Infosys has to say about security in the Digital World

The digital age revolves around interacting and sharing information online through photo-sharing, status updates, user reviews among others. Despite such aggressive content sharing, everyone has concerns about privacy and security – so do businesses. Previously, to avert predictable threats, one only had to strengthen their boundaries – an approach that has demonstrated success in the past. Today, however, trends such as social media, mobility and the Internet of Things (IoT) are blurring organizational boundaries, turning enterprise security into a high-wire act without a safety net.

Enterprises that believe a one-size-fits-all security solution will protect their business, brand or reputation are setting themselves up for unpleasant surprises. A Kaspersky study found that 94% of companies surveyed had experienced cyber attacks from outside their perimeter in 2014. The cost of such an attack is nothing to sneeze at either – with damages from a single attack estimated to be as much as US $2.54 million (1). However, external threats are not the only cause of concern. Several cyber attacks aimed at infiltrating enterprise systems have used cleverly disguised malware on systems of trusted vendors/third parties. For instance, the Target security breach in 2014 was executed using malware that was installed in the systems of a trusted vendor. The hackers were able to access Target’s point-of-sale systems using the credentials of the vendor, resulting in the theft of credit card details of nearly 40 million customers (2). Thus, as the sophistication of cyber threats increases, no domain – internal or external – is safe. Clearly, we need to take a fresh look at how we go about ensuring cyber security.

Digital Security – A new approach

There are several available and upcoming next-gen technology tools such as predictive threat analytics, machine learning, and real-time analytics of network and device behavior that can change how security solutions work (3). However, businesses struggle to orchestrate these tools into a cohesive solution. Hence, successfully securing any business requires a completely different and strategic approach – one that can protect internal assets and monitor external threat through innovation, automation and customization.

Humanics – Re-imagining security

Ideation and innovation are what set companies such as Google, Apple, Facebook, Twitter and Amazon (GAFTA) apart. This new breed of digital age companies constantly seeks new ideas that deliver new experiences and possibilities for their customers. Let us see how this process, called ‘humanics’, can be used to design successful security solutions.

Showcase opportunities

Organizations need specialized talent to deal with the rising sophistication of cyber threats. Unfortunately, the demand for cyber security professionals is often met with an acute supply shortage. While the number of information security professionals is over 1.6 million in 2015, this number is set to increase to over two million by 2017 (4). Enterprises should leverage this and generate interest in cyber security by advertising opportunities and allocating more budgets for security departments.

Collaborate effectively

Fighting cyber threats requires joining forces with allies to mount a stronger defense. In the battle against cyber crime, an enterprise’s allies are government-sponsored security threat and information sharing programs, industry associations for security intelligence services sharing, forensics services, reputation services, etc. Public-private partnerships help to collate resources, strategies, knowledge, and best-practices on mitigating security risk. A good example of this is the diplomatic and technological collaboration between the US government and the financial industry in handling the distributed denial of service (DDoS) attacks on American banks in 2012 (5).

Strategize from the top

Organizations need to create a robust strategy for handling enterprise security. For instance, corporate policies should include an organization’s processes, systems, frameworks, interventions, and goals for ensuring security. Additionally, enterprises should prioritize initiatives that generate awareness amongst employees, i.e., how to safeguard enterprise data, recognize fraudulent emails, identify hacking attempts, and employ sound judgment when dealing with third parties. For example, one of the factors that contributed to the nightmarish attack on Sony Pictures Entertainment – a ‘hacktivist’ response to the release of the satirical film ‘The Interview’ – was email messages containing malicious content sent to company executives. These were either ignored or misidentified as spam. The ensuing hack led to disclosure of confidential employee information, hacked Twitter accounts, and theft of over 100 terabytes of data (6).

Trust but verify

A winning tactic in the battlefront against cyber crime is generating user awareness. Studies show that driving awareness by investing in user training programs can effectively reduce cyber infections from user behavior by 45-70% (7). However, this still requires investment in user behavior analysis and anomaly detection to help organizations better understand patterns of behavior and weed out malicious or duped human actors that cause cyber incidents.

Mechanics – Redefining security

If the first step in enterprise security innovation is ideating, the next is deploying agile, flexible and automated software to make it a reality, that is, ‘mechanics’. As cyber threats become more diverse, enterprises need a multi-layered approach that can protect their networks, perimeters, endpoints, and data (3). Enterprises need to focus on multiple security layers comprising of:

Basic best-practices – These have been around for a while but are not necessarily well practiced. These include:

1) Vulnerability management – Create a structured and virtuous cycle of assessment through scanning and testing that is supported by fast and responsive remediation, thereby ensuring that quick action is taken for all identified threats.

2) Security operations and support – Operate all the protective controls in the enterprise across the perimeter and end-points effectively.

3) Security monitoring and incident management – Vigilant security monitoring supports risk management efforts by monitoring applications, devices, networks and systems in real-time. Further, by collecting and analyzing historical data and security incidents, one can determine newer threat patterns.

Advanced layers – These are needed to identify unknown attack patterns, such as:

Cyber threat intelligence – Get actionable insights by evaluating the threat landscape. This can help your organization assess the probability of risk and mount a strong defense.

Access governance – A strong access governance framework can track and mitigate internal risk from inappropriate privileges and unintentional access to sensitive data.

Security analytics and patterns – This function blended with threat intelligence helps extract and manage Security Big Data while providing threat intelligence capabilities. Further, this leverages advanced technologies that aggregate data from management systems, security feeds, etc., and display information in a single dashboard.

Conclusion

In today’s digital world, complete security for data and information remains elusive. Enterprises continue to struggle to find holistic ways of protecting their data while monitoring potential threats. The answer lies in merging ideation with software and practices, i.e., ‘Humanics’ with Mechanics, to find the best-fit solution for effective enterprise security.

References

1. Kaspersky IT security Risk Survey 2014
http://media.kaspersky.com/en/it_security_risks_survey_2014_global_report.pdf

2. Case Study: Critical Controls that Could have Prevented Target Breach, August 2014
https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

3. The Need for Efficient Cybersecurity Innovations is Evident in Every Sector, says Frost & Sullivan, March 2015
http://ww2.frost.com/news/press-releases/need-efficient-cybersecurity-innovations-evident-every-sector-says-frost-sullivan/

4. Why Cybersecurity Companies are ‘Renting’ Cyber Talent to Keep up with Demand, Sept 2015
http://www.forbes.com/sites/stevemorgan/2015/09/28/hot-cyber-rental-market/

5. Cybersecurity partnerships, NYU school of law, October 2014
http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf

6. Sony got hacked hard: what we know and don’t know so far, March 2014
http://www.wired.com/2014/12/sony-hack-what-we-know/

7. The Last Mile in IT Security: Changing User Behaviours, Nov 2014
http://v1.aberdeen.com/launch/report/research_report/9910-RR-Changing-User-Behaviors.asp