While social media, mobility, cloud and other new and disruptive technologies can do much to move business forward, they can also compromise security. As we have entered 2014, the stakes are higher than ever. We're not just talking about personal data protection or identity theft anymore. We're talking about attempts to steal corporate secrets, critical infrastructure attacks and much more.
As security professionals, we need to develop a solid understanding of what the new threats are and how to effectively manage the risks, while planning for the threats of tomorrow.
Making Security First, Compliance Next
Expand your security focus beyond compliance and technology. Let's face it, we are entering an era of tighter statutory requirements and rapidly changing regulations governing data security. However, when it comes to risk mitigation, compliance alone is not enough to protect your enterprise. It takes a broader security strategy -- of which compliance is a part of the whole -- to be successful in managing security.
In fact, if you focus on security first, rather than meeting compliance benchmarks, you may see a greater business impact, because your security approach will be much more comprehensive and better aligned with your business goals. It's also important to expand the way you think about security beyond technology, as technology by itself cannot safeguard an enterprise.
Protecting Mobile Applications
Today, mobile applications are being developed and deployed at a rate that outpaces any in history, and they will continue to increase in number as the mobile workforce grows. In the rush to push new applications out to users, best practices for testing and securing software aren't always being adhered to, leaving the software vulnerable to attacks.
Further, these mobile applications are being accessed on comparatively low-cost, consumer-focused electronic devices - from high-function PDA phones and tablets to e-readers. These devices are designed for communication, entertainment and data consumption - but not security. Nevertheless, they have made significant in-roads into corporate use, largely driven by the advent of the bring-your-own-device (BYOD) era.
It is this intersection of rapidly developed mobile software; high-powered mobile devices with poor native security capabilities; and the proliferation of corporate, personal and regulated data that brings mobile application security concerns to the forefront.
Managing Mobile Complexity
Mobile devices, such as smartphones and tablets, have become mainstream business tools. At one time, many enterprises did all they could to thwart the BYOD trend. Now, many are accelerating BYOD adoption because they recognize the opportunities to increase staff productivity, build their brand and extend partner and customer relationships through mobile channels, especially email.
However, tapping into BYOD benefits can present major challenges to your existing security architecture and programs. Since every environment now features an unprecedented mix of operating systems, applications and practices, mobile security management can be a complex undertaking. Point solutions can address some issues, but they can be complex to manage. To help tighten mobile security, you need to extend end-to-end data and email protection across the entire IT infrastructure - from laptops, desktops, smartphones and tablets, to cloud-based and web-based systems and applications. More importantly, to help reduce exposure to security threats, you need to understand where your sensitive data is traveling as it moves into and out of your organization.
Third-Party Security Risk Management
Outsourcing and similar practices that rely on third-party relationships have become a common business practice today. The risks involved in sharing sensitive information are also a reality. By outsourcing significant and critical business functions, you are also relinquishing security control to your partners. While the financial services and health care sectors have particularly high regulatory requirements around exchanging data with third parties, the need to protect confidential data is an issue that cuts across industries.
Sharing responsibility for a business process also means sharing responsibility for security. If you entrust outside entities with sensitive data, intellectual property, client data or proprietary information, you need a framework for identifying, assessing and mitigating the risks involved, and for ensuring compliance with various security and privacy regulations.
To underscore the importance of doing so, you should know that when a data breach occurs, almost without exception a third-party vendor or affiliate is involved. It is often a quasi-insider, enjoying some degree of the trust afforded to employees. Based on a relationship's longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust.
Unfortunately, the conveyance of trust does not always end well. This is why third-party management and service-level agreements (SLA) are so critical in the management of risk. SLAs are negotiable instruments that reflect the company's appetite or tolerance for risk, its size, complexity and geographic distribution, the type of information managed, and the ability to effectively monitor the third-party management program.
Advanced Persistent Threats
Advanced Persistent Threats (APTs) refer to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of data. The entry point for these types of espionage activities is often an unsuspecting end-user or weak perimeter security. Attacks are becoming more difficult to detect and defend against, and at the highest levels they are well resourced and funded.
Whether focused on exploiting vulnerable networks or unsuspecting end-users, APT will remain a consistent threat to networks in 2014. No business should consider itself immune, because any type of organization can be targeted. Even the strongest government, military and business systems can be breached and will continue to be put under pressure.
Take Action Now
Much like this past year, 2014 is proving to be an active and exciting year in security. Moving forward, know that the best defense is often a good offense. Planning now for what you know is coming in the next few years can go a long way in protecting your data.
By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, organizations will be better able to understand the true nature of cyber threats and respond quickly and appropriately.