With stories of damaging new data breaches inundating the news every week, organizations are increasingly aware of the pressing need to change the way they look at information security and to leverage new technologies to protect their data.
Nuix, a technology provider enabling organizations to make fact-based decisions from unstructured data, recently published a survey — conducted by Ari Kaplan Advisors — of security officials and industry experts with extensive experience in security breach investigations.
The study, “Defending Data: An Inside Look at How Corporate Security Officers Are Navigating a Constantly Shifting Landscape," found that organizations are changing the way they protect their data in response to the rising number and severity of security breaches.
"Our goal was to capture a broad range of perspectives to help corporate information security leaders navigate this dynamically shifting landscape,” said Ari Kaplan, the report’s author and principal researcher. “What we found was an effort to balance breach prevention with post-breach remediation. We also noted increasing collaboration between security specialists and data owners, and a growing tension between enhancing productivity and strengthening security.”
According to the survey, the sophistication of cyber attacks has prompted organizations to focus more on their cybersecurity programs, with nearly three-quarters of respondents indicating that their cybersecurity needs had changed in the past 12 months, and 69 percent reporting that they expect them to change again in the next year.
However, respondents are also realistic about their limited ability to prevent an attack. One senior security official indicated that, “Prevention is an unobtainable goal in the current environment so our focus is a very fast pathway to remediation because we know we cannot eliminate all compromises.”
Consequently, with cyberattacks not a matter of "if," but of "when," respondents agreed that “perimeter defense is no longer a sufficient information security strategy.”
“Perimeter security is just one piece of a larger consideration; you want to protect data at rest and in transit,” adds a US Secret Service representative. “Companies are building bigger moats for their data, but they should be building better prisons for data; locking the door from the inside is not enough.”
The survey showed a strong consensus among respondents that the movement toward mobile and portability presents a number of challenges. The increasing use of mobile and personal devices to access corporate systems have “expanded the perimeter beyond what any corporate can control, introducing threats that you cannot fully monitor,” one respondent explained.
However, although 96 percent of respondents permit remote access at their organizations, only 69 percent employ a bring-your-own-device (BYOD) policy. Organizations must learn to balance efforts to enhance productivity and workplace flexibility with security priorities.
“We are empowering the worker through the death of distance and the death of perimeter to be more productive and autonomous so that they can have mastery of the information to perform their work better,” one security official said.
Migration to the cloud also poses a challenge to security and data oversight. Although the majority of respondents indicated they have migrated to the cloud, 84 percent of respondents indicatedthat adopting cloud technologies has created unique cybersecurity concerns.
"Just saying you have cloud security structure does not make it automatically secure,” a US Secret Service official said.
The majority of respondents pointed to human error as the weakest link in enterprise security, expressing concern that even with the appropriate technology and protocols in place, human behavior remains difficult to mitigate.
There was no consensus among respondents on how to adequately equip organizations with the tools necessary to combat the human threat, since “cyber criminals are only as good as they need to be,” said an official with the U.S. Secret Service.
To meet these new security challenges, Dr. Jim Kent, Nuix’s Washington, DC-based global head of investigations and cybersecurity, emphasized training and education as the key to addressing information security weaknesses and protecting against security threats.
“Training and understanding is the first step,” said Kent, whose team works with the United Nations, among other agencies, and encourages collaboration with INTERPOL and related law enforcement entities. “We have had to educate teams that their approach is often limited to protecting the perimeter and advise them how to react once data enters the system.”
Respondents also stressed the increasing need for internal collaboration between data custodians and information security officers, with 92 percent of respondents indicating they collectively shared and collaborated with other informationsecurity executives.
“We need to get a sterile environment where people can exchange information and permit the transference of data for people to protect themselves from ongoing threats,” Kent explained.
Homeland Security Today reported earlier this year that the number of reported information security breaches of government agencies that involved personally identifiable information has more than doubled over the last several years, from 10,481 in 2009, to more than 25,000 in 2013, according to a Government Accountability Office (GAO) audit.
Thus, “It is critical that federal agencies ensure that this information is adequately protected from data breaches, and that they respond swiftly and appropriately when breaches occur,” GAO warned. However, GAO also found that none of the seven agencies consistently documented lessons learned from their breach responses.
As the sophistication of data breaches continue to outpace the ability of organizations to address them, it is critical for those responsible for information security not only to understand that something has happened with their data, but also to leverage technology to understand what occurred.
“This report confirms and clarifies what we’ve been hearing in the marketplace, that information security is undergoing a profound change and entering a new phase,” Kent said. “We’ll be very interested to see how this transformation works its way through the business community as we repeat this benchmarking survey next year and into the future.”