CIO Decisions

The new security paradigm

Sapsiwai - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

CIOs beef up security tools in wake of 2014 data breaches

What's different about security strategies in the aftermath of the 2014 data breaches? More money, more monitoring, more employee training, and that's just for starters.

J.P. Morgan. Target. Home Depot. EBay. Sony.

These are just some of the corporate giants that have suffered massive, expensive, reputation-draining security data breaches in recent months.

While it's unclear exactly how many breaches occurred last year -- many smaller-scale hacks and leaks go unreported -- the Identity Theft Resource Center pinpointed 783 data breaches in 2014 based on media reports and notification lists from state government agencies. That's a whopping 27.5% increase over the same period the previous year.

It's a wonder CIOs can sleep at night.

"I go to bed every night making sure my phone is not on vibrate. If needed, I am at the ready," said Don Baker, CIO with Mediaocean, a New York-based advertising services company. "When it comes to security and data integrity, there's a much more heightened sense of concern today, not just because of the number of breaches, but because of the sophistication we're seeing with some of these attacks lately."

With hackers finding new ways of bypassing traditional network security systems, Baker, along with many CIOs, say they have had to re-evaluate their security strategies in an ever-evolving attempt to stay ahead of cyber criminals. "You can't assume what you have been doing year to year for however long is sufficient in the world we live in today," Baker said.

Don BakerDon Baker

In a recent survey by EiQ Networks, 90% of CIOs and other top IT professionals across industries said security breaches were their top concern. However, only 21% of the 145 IT decision-makers  surveyed said they are truly confident in their system's ability to mitigate the risk of security incidents; only 31% had a "solid process" in place for cyber defense, and only 15% said the company was "well prepared" for a breach.

The lack of confidence is hardly surprising. Data security is a daunting responsibility today. For one thing, the sheer volume of software and devices that need protecting has mushroomed in recent years. A lost laptop with 1,000 social security numbers used to be cause for high concern.

"Now, of course, we have the cloud, social networks, Web services, mobile technology. And we have exponentially more devices," said Michael Beckley, CTO of Appian Corp., which makes business process management software. "The more the surface of an IT organization to attack, the more there is to defend."

The good news is that many CEOs and members of the board of directors are giving IT organizations additional money and manpower to address the issue, according to the Poneman Institute, a security research firm.

Michael BeckleyMichael Beckley

"Target was the mother of all data breaches at the time, and it was a wakeup call for a lot of organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "They could see that it had a huge effect on customer loyalty and trust. A lot of companies realized they weren't doing enough or spending enough, and we know from our research that CIOs are striving to do more and better things now."

Indeed, interviews with IT leaders showed that many are taking steps to shield their corporate data with a wider array of tools and beefed-up security processes. Their multi-pronged strategies include behavioral data detection systems, device encryption, user monitoring, employee training and --in an attempt to avoid making the same mistakes that proved so damaging to other companies -- thorough investigations of publicized breaches.

Monitoring user behavior

Monitoring is one area where CIOs need to step up their game, said Jay Heiser, research vice president with Gartner Inc. Many organizations have been putting more effort into "locking the doors," he said, than in detecting whether those doors have been circumvented.

Jay HeiserJay Heiser

"It feels good to put more locks on the doors, but if someone comes in through the windows, what's the point?" he asked. "If there is any change based on this year's dramatic failures, it's a renewed appreciation for the benefits of monitoring."

Some organizations are taking advantage of behavioral intrusion detection programs that look for anomalies in the way users work in systems. IT must have a good handle on what is considered normal baseline behavior so it can look for a spike in activity that might be a sign of something malicious happening.

"If you normally have 5,000 logins a week and you suddenly see 15,000, you have to drill into that to figure out what's going on," Mediaocean's Baker said.

In the past, a small, temporary spike in activity might be shrugged off as a blip, but these days, CIOs are scrambling to investigate anything remotely unusual. In many cases, it's not about preventing or addressing the obvious hack, it's about trying to sniff out the subtle attack that may go undetected.

"You are less likely to see a little spike and say, 'Let's wait and see if it reoccurs,'" Baker said. "You have to take any spike in activity and think, 'This could potentially be something going on.'"

Employee training: If you see something, say something

Since some hacking cases have been reportedly traced back to employees who inadvertently invited a malware attack, a big piece of the enterprise security battle comes from arming employees with a healthy level of skepticism about where they surf and click.

Even an email from a coworker who doesn't normally contact the recipient should raise alarms, experts said, especially if the coworker asks the employee to open an attachment or supply sensitive information. In cases like that and with other suspicious email, employees should be trained to contact IT for guidance, security specialists advised. But don't expect overnight results. 

"You can't teach employees in one week or even one month. But if you teach them a little bit every day, it will become habit," said an IT executive from a security firm that provides training software to help organizations teach their employees secure behavior.

Measures taken to mitigate internal threats shouldn't be limited to employees. Appian's Beckley is among many CIOs today who are looking anew at how their organizations handle consultants and contractors granted varying levels of access. It's imperative that these temporary workers (and departing employees) are prevented from getting into the system after they leave.

"It's about using process control and automation to at least ensure that people are properly credentialed to access the system when they come on board, and to make sure passwords are deactivated and those access controls are turned off when they leave," Beckley said.

A startup cybersecurity company specializing in enterprise endpoint threat detection tools has found the best way to inform employees about work-related security is to educate them about how to protect themselves personally, for example when they post on social networks, shop online or open email.

"Mostly it's about understanding what you're doing when you're browsing and knowing that when you get an email and click on a link, that's how you can get hacked," the firm's CTO said. "If they take precautions at home to protect their own data, they will do the same thing at work to protect company data."

Working remotely and encrypting data

In terms of mobile use, IT leaders say employees need to play it smart, taking care, for example, not to access the Internet on a public WiFi network when they are dealing with sensitive corporate data. Such precautions, while obvious to IT folks, need to be reinforced with employees who habitually use their smartphones for personal transactions.

Baker said employees at his company are not permitted to pull data down to a remote device to work with it when they are not on site.

"People can't use their devices to get directly into our systems," he said. "They might be able to visually see a screen, but it's like a dummy terminal because they can't do anything with the data back and forth."

Businesses that need employees to be able to interact remotely with internal systems are increasingly encrypting devices so that data can't be accessed -- and IT can also remotely wipe or delete a device that gets lost or stolen.

Encryption certainly works better than passwords that are easy to lose and can be duplicated, said Appian's Beckley. "Passwords are terrible and have to die. We need fingerprint identity and strong encryption on devices," he said.

Seeking outside help

Many companies -- particularly small and medium-sized businesses that may not have the resources to hire on-site IT security specialists -- are seeking help from third-party security contractors.

Baker said Mediaocean uses a company that helps with intrusion detection and other security assessments, including regular attempts to hack into the system in a controlled manner.

"They're trying to find anything that's publicly exposed that could be an entryway," he said. "I highly recommend that aside from what an organization does on its own, you need a third party to perform tests. You live just in your world, but they live and breathe security."

Beckley said many of Appian's clients are doing a mix of custom coding projects, along with adopting more platform technology and cloud technology as ways of reducing their internal attack surface. It also helps limit outside vendors and other business partners from having access to certain sensitive back office systems.

"Every time a programmer writes a line of code, it could be written to create a new vulnerability," he said. "That doesn't mean platforms are perfectly secure, but it's a way of trying to simplify things to a manageable set of challenges."

Planning for a disaster

CIOs know that fully preventing an attack may be next to impossible -- which is why having a concrete plan in place in the event an attack occurs is a must.

"You're naive if you believe you're going to prevent everything. You have to assume this could happen to you at some point," Baker said. "Now it's about not only preventing attacks, but handling it and minimizing the damage after an attack happens. It's a major mind shift because in the past, you may have handled it more on the fly. That doesn't cut it in today's world."

When planning for how to handle a data disaster, it shouldn't matter as much how the problem occurred as it does how to deal with it, Heiser said.

"One of the beauties of contingency planning is you don't need to predict the type of behavior. You don't care if the service was taken down by a flood, by a hacker or by space aliens," Heiser said. "The point is to determine what loss of service is acceptable and what contingencies are in place to restore service."

When a cyber assault occurs, the cleanup itself is often destructive to business, particularly if the company has to shut down all operations.

In fact, the cost of a data breach jumped by 23% this year, according to the Ponemon Institute, a research organization that specializes in data protection, privacy and cyber security. It takes a large organization an average of 31 days, at a cost of $20,000 per day, to clean up and remediate after a cyberattack.

"It's a complex process. Sometimes companies have to hire forensics experts," said Ponemon.

Some of the costs are tangible, such as the cost of investigating the breach and notifying customers, but companies also stand to lose prestige and future, paying customers the longer the breach takes to remediate. Because time is money, the CTO of the startup specializing in endpoint security said that contingency plans should include decisions about which applications can be turned off and which ones should continue to hum while an attack is in progress.

"If you look at the way cars are built, if your car hits something, the fender might be destroyed, but it saves the lives of all the occupants. So you need to be willing to throw part of the car away," he said. That's the approach his firm took for its own operations, separating critical business applications from systems that if necessary, the company could "let crumple or throw away." 

"Can we shut off part of the system and let the attacker have full control over that, but keep them there so they can't come after the rest of your system? It's about figuring out how to contain the problem so you have a little more control," he said.

Fear of the unknown

What makes IT security so difficult -- and even anxiety-producing for many corporate leaders -- is the unknown: not knowing whether a security breach has even occurred right under their noses.

"Security falls off the edge with a constant and infinite loss of data of lesser consequence. The majority of leaks are not detected," Heiser said.

The average time it takes to detect a data breach is 170 days, and if the breach involves a malicious insider, the number grows to 260 days, according to the Ponemon Institute.

"The bad guys are stealing things, and you don't even know it," Ponemon said. "Some people never find out they've been hacked."

And so CIOs and their IT staffs these days spend an enormous amount of resources -- time, energy and money -- looking into how other companies were hacked so they can plug their own holes in a never-ending attempt to avoid becoming the next company thrust in the breach spotlight.

The new tactics and reinforcement of good security habits have certainly helped build fences around data, CIOs said, yet many add they are under no illusion that any system is fool-proof. When it comes to security, there is no silver bullet, observed Appian's Beckley.

"We can never relax. These breaches are a reminder of the necessity of humility. It takes continuous monitoring and persistent vigilance," he said. "It's an arms race. There is no winning it; there is only not losing it."

Chart: Massive data breaches


About the author:
Dina Gerdeman is a Boston-area-based freelance writer and editor covering business news and features.

Article 3 of 6

Dig Deeper on Enterprise information security management