While companies are embracing new technologies and systems, they also need to secure those systems. Cyber attacks are becoming more prevalent, and it takes more than a firewall and malware-protection software to prevent information breaches.
According to an Ernst & Young survey that polled 1,900 senior executives globally, information-security functions are not fully meeting the perceived needs in 83 percent of organizations. This is so even though 93 percent of the companies have increased their investment in cyber security, and 31 percent of organizations have seen security incidents rise 5 percent over the last 12 months, according to EY.
Attacks have also evolved. No longer is hacking into a system the quick and dirty act it once was. The challenge companies’ face is advanced persistent threats. Hackers will infiltrate a system simply through a phishing email or through a USB drive. Once in, they stay in the system undetected and steal data for an extended period, explains Alan Brill, senior managing director for risk-mitigation firm Kroll Advisory Solutions.
Companies are still learning how to combat these attacks. In fact, most companies only become aware their system has been compromised once an FBI agent notifies them. For example, two special agents from the FBI came to the office of one of Brill’s clients to let executives know the company had been hacked by foreign nationals, which was discovered during the course of a national security investigation.
Reacting to an attack after it happens is one thing, but preventing attacks is the hard part, experts say.
Part of the problem stems from within companies. First, executives may not want to invest a substantial amount of money in security if they don’t think an attack could happen to their company, Brill says. Secondly, the chief information security officer (CISO) — or whoever is in charge of information security — may be reporting to the wrong person, says Andrew Shea, vice president of business development at security consultancy Conventus. Generally, the CISO, who evaluates technology risks, reports to the chief information officer, who reports to the CFO. However, the CIO may only deliver metrics to the CFO on how many threats have been stopped, not how to identify risks. Shea says that’s not the way it should work.
“That’s where the gap is,” he says. “CFOs want to know the status of his assets. They don’t get that information from CIOs today.”
Instead, the CISO should report to the CFO directly, Shea says. The CFO owns risk management at most companies, and information security is part of enterprise risk management. Although ERM covers information security, it doesn’t include the risks the CISO identifies.
It’s a slow process to get executives to understand cyber security. Many companies want to block every kind of attack and invest all their money in firewalls and malware-protection software. However, companies that do that are just “checking off boxes” and “diluting their ability to protect” the threats that are relevant, Adam Meyers, vice president of business intelligence at security startup CrowdStrike, says.
Shea places some of the fault on software companies that sell solutions that are seemingly easy to operate but carry additional responsibilities that many companies aren’t prepared to handle. Security software may generate millions of threat notifications but determining what is critical and what is innocuous is the hard part, he says.
Shea says executives need to use business intelligence to understand a company’s security risks. By digging deep into the cyber-risk factors, companies will know what tools to invest in to prevent those attacks.
Meyers also advocates identifying risks through intelligence-driven security. Each industry should hone in on the risk factors that make it vulnerable and focus on protecting those areas. That allows companies to leverage the limited resources they have in order to see better outcomes in their organizations, he says.
“If companies are trying to protect against every outcome or attack, they will always be playing catch up,” Meyers warns. “If you know who is likely to attack you and how they’re likely to attack you, then those are the most important attacks to stop.”
Image by IT-Lex, via Google Images