IoT creates new set of risks, orgs embrace active defense
If the past 12 months saw a dramatic increase in data breach activity, then the year ahead promises to bring an entirely new set of concerns – and a shift in how companies are responding to the cyber threat.
Increasingly, companies are exploring a more “active defense” approach to cyber security, while preparing for an entirely new set of threats to medical data, connected vehicles, mobile payments, and Internet of Things as well as emerging technologies like “wearables.”
Traditional incident response – the rapid deployment of a team to remediate breaches to a network, identify additional threats and restore functionality – is necessary, but no longer sufficient. The connectedness of our cyber network demands intelligence-driven tools and processes that equip leaders with an anticipatory edge.
As data security becomes a top priority for organizations of all sizes, Booz Allen Hamilton’s team of cyber experts sifted through the noise to determine what trends might shape the next 12 months, and shared their findings at RSA Conference 2015:
Internet of things expands cyber “attack surface” – For enterprise IT managers, cyber threats have existed in largely two dimensions – behind the firewall and beyond. But with the “Internet of Things,” cyber risk now stretches across a third dimension. Employees may come to work with a compromised wearable device, or pull their hacked connected vehicle into the company parking lot. This creates a new type of cyber risk for organizations – with significantly increased complexity and exposure. As the Internet of Things increases the cyber “attack surface,” companies must broaden defenses to include the plethora of embedded devices that now make up their ecosystem.
“Proactive defense” becomes best practice – Recent corporate victims of cyber attacks have one thing in common: they all thought they were prepared. Tired of being a step behind, companies will gravitate to a more active, anticipatory approach to preparedness and defense, one that looks over the horizon at emerging criminal patterns and active threat actors. We will see more organizations take an “intel to operations” model that enables companies to use real-time intelligence and threat assessment data to shape decision making, fine tune defenses and pre-empt emerging threats.
“Incident response” hype meets reality – The cyber market is crowded with companies that market an “incident response” capability in the event of a data breach. Yet is there enough experienced cyber talent to staff up all of these companies? Do these offerings include the right balance of multidisciplinary expertise necessary to be successful (e.g., Crisis Communications, Legal, Policy, Business and Technical)? Expect CISOs and other corporate leaders to take a more discerning look at the latest incident response offers; the people behind them, and their step-by-step methodology. Their goal should be to position their firms to successfully navigate an incident and prevent negative repercussions.
Preparedness moves beyond dollars, compliance – Companies are devoting significant resources to building up their cyber defenses – and often quantifying those steps in dollars spent and compliance achieved. Yet as data breaches multiply and their reach broadens, scrutiny of preparedness will shift away from the “how much” to the “how” and “who.” How many people are engaged? What are their backgrounds? What software tools are being used? Cyber security will continue to evolve from a compliance issue to a strategic, business-critical priority. This will trigger a greater interest in “what’s under the hood.”
Embedded Security is now an undeniable requirement – It is a new necessity that presents a competitive opportunity. As Internet connectivity touches everything from light bulbs to vehicles and electric turbines, cyber security and risk management increasingly must be accounted for when designing and producing products. And with end users increasingly concerned about privacy and data security, strong embedded security becomes a market enabler, differentiating a company and its products in a competitive market.
The c-suite rethinks cyber response – To date, the CIO or CISO has taken the reigns (and, too often, the blame) when a cyber crisis hits. Yet as companies understand the inevitable business impact of a cyber event there is movement to a new model. For example: adding a business leader within the c-suite with the explicit role of driving data breach response activities across all facets of the organization. A move a way from the current approach of assigning this job to a technology executive. Fueling interest in a different approach: workforce changes, new, emerging threats, and constantly evolving “best practice” response tactics.