2020 cybersecurity – putting the house in order
By Nik Whitfield
Cybersecurity has constantly been in the news, both because of publicized breaches, but also because of data protection laws. Here Nik Whitfield explains why businesses need to think beyond security simply in terms of password protection and antivirus software, and look to implement better cybersecurity planning.
2019 will go down in the cyber hall of fame for the year the regulators showed their teeth. After a relatively quiet 2018, the last year has seen companies having to fork out nearly $1.45 billion in fines. These record-breaking penalties across the US and Europe have been in clear response to security programmes that have been deemed to be insufficient.
The word ‘insufficient’ is key. The companies are being penalised for not having implemented robust security arrangements, which is fundamentally different for being fined because they were subject to a data breach. This was illustrated clearly by the case of British Airways, which has so far received the biggest GDPR penalty to date of $230 million. The ICO found that it had been ‘compromised by poor security arrangements’ and the company was fined accordingly.
This is proving to be a wake-up call for the whole cyber market. Boards are looking at these fines and asking their security teams: ‘do we have poor security arrangements?’ Many will not be satisfied with the answer. The cyber division, by comparison to other business units, is still relatively in its infancy.
Whereas other departments are using software to automate, predict and inform strategic decisions (think Salesforce, CRM systems, ERP software), the cyber division has been beholden to using ad-hoc, manual processes to measure assets and controls, often via spreadsheets and questionnaires, which has resulted in data that is incomplete and untimely.
We commissioned a survey earlier this year of more than 200 senior security leaders to get an insight into this challenge. The results demonstrated that enterprise security teams spent an average of 36% of their time manually producing reports from 75+ security tools (150+ plus for banks) and 89% of the security leaders had concerns on lack of visibility and insight into trusted data.
As we look ahead to 2020, these issues will only be exacerbated by the enhanced scrutiny with existing and new regulations, as well as other key market forces, which include more shortages in security resources and an increasing attack surface from data in cloud storage and IoT assets. Squaring this circle to strengthen the company’s cyber security posture will require teams to change the way they measure security and to have a renewed focus on ensuring the basic tenets of cyber hygiene.
Moving forward with cybersecurity
Moving forwards there will undoubtedly be an industry-wide shift to organisations investing in platforms that automate the management and measurement of security programmes. This will not only ensure that security teams can give Boards and regulators accurate and timely data, but it will also enable stretched security staff to focus their time on more strategic activities, rather than wasting a third of their time buried in spreadsheets.
There will also need to be a shift in the way security teams approach their programmes, with a marked change from fire-fighting to fire-proofing.Endpoint security tools designed to detect, respond, and recover from incidents will be deprioritised in favour of tools that proactively identify and protect against control and safeguard gaps before they become a security incident.
The last decade saw a surge in cyber defence technologies that support a reactive approach, such as malware removal software. It has become an outdated equation as an organisation will never have enough resources to respond, as reacting costs much more the budget available – it’s like closing the stable door after the horse has bolted.
Changing threats in cybersecurity
A different playbook is required to stand a genuine chance of combating threats successfully and addressing the myriad of compliance issues facing all industries, especially with the proliferation of cloud services. With limited budgets and resources, and demands for insight and proof, organisations must move to developing a robust, proactive cyber strategy.
No company can be 100% secure but they can get clarity on acceptable levels of risks and confidence that they are addressing fundamentals of cyber hygiene, which starts with knowing, on any day, what assets they are protecting, how they’re controlled, and how they’re vulnerable.
Having this foundation in place, with platforms that automate insight into data will crucially help protect the company against the vast majority of future attacks, as well giving the security teams the confidence that they can evidence regulatory compliance in this new era of the mega-fines.