Jan 30, 2015
If Paul Revere were a security professional, his midnight ride would be spent warning about the impending wave of cyber-attacks. IT and security leaders may not need to mount steeds, but my research shows they must sound their own clarion call and get the enterprise to make a fundamental change in its security posture.
Forget one if by land, two if by sea. Today’s threat landscape is literally everything and anything. One if by Web, two if by internal breach, three if from malware, four if by phishing, five if by trusted vendor and the list goes on. Cyber attackers are relentless and more sophisticated with access to even more tools (here’s a list for starters).
Even massive companies like Target, Home Depot, Sony, Apple, and JP Morgan Chase have all fallen prey to hackers – and faced a public lashing because of it. With all of their enormous security budgets and dedicated security teams, it’s shocking these breaches are happening so often. And if they’re happening to these companies, what can your company do to protect itself?
To get ready, security (and business) professionals need to accept some truths and think about security differently. First, there are many points in the network that we used to think were secure but are not today. One of the recent, highly publicized hacks originated from a trusted vendor that came in behind the organization’s secure perimeter. The fact is that there’s no way to trust the security of partners, suppliers, etc. and every point in the network should be considered a threat. Security professionals today must adopt Fox Mulder’s credo — “Trust no one” — as that trust will eventually become a glaring weakness.
Users are also a problem. Many attackers have shifted the focus away from servers and network devices and are leveraging the naiveté of users by exploiting browser and e-mail weaknesses. I saw a recent data point that only 10 percent of workers are running the most current version of Internet Explorer, a favorite attack point for cyber-terrorists. If businesses aren’t willing to update software for security patches in a timely manner, how secure can the organization be? They say you’re only as secure as your weakest link, and for many companies the desktop is the weakest link.
If businesses aren’t willing to update software for security patches in a timely manner, how secure can the organization be?
Also, it’s time for security pros to start thinking architecturally about security instead of the hodgepodge way the technology is deployed today. The concept of security analytics is hot and makes perfect sense but it’s predicated on having the data to do analytics on.
My research shows that most large enterprises use at least a dozen different security vendors. How could anyone come up with a normalized set of data to analyze with inputs from that many different vendors? A better approach would be to find a vendor that works with the existing network architecture that can provide visibility across the enterprise so appropriate action can be taken. It’s not likely that any one, single vendor can do this but certainly rationalizing down the number of solution providers would definitely help.
The hackers are coming, and in a big way, but businesses can start a revolution. Stop continuing to do things the old way. Adapt a new security mindset and give your company a fighting chance.
Zeus Kerravala is the founder and principal analyst with ZK Research. He provides a mix of tactical advice to help his clients in the current business climate and with long term strategic advice. Kerravala provides research and advice to the following constituents: End user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.