We’ve been writing a lot about cybersecurity insurance - most recently in Cybersecurity Insurance: Closing the Widening Risk Gap. This is a fast-moving market, and one I think that will increasingly affect how enterprises help manage cybersecurity risks. And, in the long term, insurance may even help enterprises more cost effectively and efficiently reduce risk. But the road there is going to be filled with bumps and false starts – if that end state will be reached at all.
Have you trained your employees to be on the lookout for bogus emails?
I don’t mean the typical malicious emails that fill our inboxes every day, claiming to be phony fax machine notifications or bogus invoices.
In reaction to the rising complexity and increased damage of certain cyber-attacks, more enterprises have been turning to threat intelligence as a way to stay tuned to the risks. Last year, Enterprise Strategy Group released a survey that found 72% of organizations planned to increase their threat intelligence programs this year.
Cybercriminals can spend months inside organizations, storing away information for a future attack or piecing data together that will get them to the prize they are after. They will also create measures to protect themselves from detection. Sometimes they create diversionary tactics to draw your attention away from what they are doing and where they have succeeded, as EY’s Global Information Security Survey 2015 shows. Cyberattacks impact both business decisions, mergers/acquisitions and competitive positions.
Recent cybersecurity incidents have left organizations and companies struggling to implement the necessary resources to minimize IT risks, regardless of how much security budgets have increased. More than 71 percent of organizations fear zero-day attacks and strongly believe they’re the most serious threats, and over 74 percent believe that it’s likely and very likely that their organization will be hit by an APT (Advanced Persistent Threat).
Some argue that successful information security is a matter of getting the technology right. Others contend that it’s more about training and education. I think both views are valid, but neither is complete. Good information security is about technology design and deployment, to be sure. But it’s also about people and the right processes being in place.
One of the hottest topics in IT these days is the Internet of Things (IoT). This is partly hype for sure, but IoT is nevertheless something all IT and security executives should be learning about, if not actually focusing on as a corporate strategy.
Cyber attacks involving destructive malware will become a bigger problem for organizations. A growing trend in cyber attacks has been the unleashing of destructive malware such as Cryptolocker and Shamoon. Only 38 percent of respondents in a recent survey by Ponemon Institute they have a strategy to deal with destructive software.
The Internet of Things will soon become the biggest vector of attacks on companies, as the number of connected devices is set to reach between 20 billion and 50 billion units by 2020.
The definition of corporate “endpoints” is constantly evolving, and securing those endpoints is becoming increasingly complex for enterprises. As the SANS Institute points out in its March 2016 Endpoint Security Survey, endpoints now include non-traditional computing devices or "things," and IT professionals are becoming aware of the fact that those endpoints require different thinking around security.
