Corporate security strategies are failing, so leaders must re-tool to face the latest cyber threats.
It could be said that 2015 was the year cybercrime became mainstream. Companies from all over the world, including the likes of Kmart, David Jones, Aussie Farmers Direct and Queensland TAFE locally, as well as JP Morgan Chase and Ashley Madison globally, all came under scrutiny as their breaches became mainstream news.
It is repeatedly on the news agenda as it is pervasive and growing in complexity and persistence. Breaches are not only detrimental to business, but major brands also run the risk of reputational damage due to the inconvenience and the exposure their customers are subjected to.
As a result, 2016 is the year when the priority is to shift tactics to combat the increasing number of hackers by abandoning outdated security strategies to protect intellectual property and other assets. But how can this be achieved?
Of course, as with all change, the first step is for more security leaders to admit that their current processes are falling short in the first place, and look at new strategies and methods which have a more realistic chance of protecting the organisation. These failings are no fault of the security teams and technology of old, but rather recognition that businesses function differently these days and therefore require a different approach to securing them.
This is not a new theory by any means and is something which many experts have been stating for a while. However, despite the obvious ‘clean slate’ advantages of starting afresh with security solutions, there is still a large number of chief information security officers (CISOs) who are unwilling to let go of their sunken costs and look forward.
Einstein said it best when he said, “Insanity is doing the same thing over and over again and expecting different results.” Simply put, more IT leaders in government and commercial enterprises need to realise that investing more in yesterday’s ineffective technologies will, this year, not yield any different results.
To succeed, they need to abandon the old ways of securing the organisation – with bigger walls and more event tracking – and adopt the new micro-strategy which takes advantage of network virtualization and Internet Protocol Security (IPsec) to isolate the underlying infrastructure in a much more granular and controlled way by authenticating and encrypting each IP packet of a communication session.
Year of the Micro
The answer to this is micro-segmentation; it allows enterprise managers to quickly and easily divide physical networks into thousands of logical micro-segments, without the historic security management overhead. This approach gives control back to the enterprise networks, without them having to deal with the firewall rules and outdated applications, while embracing remote users, cloud-based services and third parties that have all become targets for attack in today’s world.
This new micro-segmentation model will start giving the good guys the advantage in the fight against cyber attacks. With new containment strategies, organisations will have the ability to work at the IP packet level, which makes it easier to apply anywhere a company’s data goes – from data centres to public clouds, to employees on the move to suppliers around the world. Micro-segmentation is driven by existing identity management systems, so it is simple to establish communities of interest for authorised users across all of these technologies. It is one of the ways which CISOs can ensure that their organisations stay ahead of the pack and in the strongest position possible when it comes to security.
Micro-segmentation also helps to address the question of how to secure public and community clouds. Major cloud service providers such as Amazon Web Services and Microsoft have made substantial investments in security to help ensure their subscribers’ data is safe and their cloud experience is exceptional. In fact, the security from such cloud service providers is better than in many companies’ own data centres. However, the thought of putting critical data on the cloud accessible by just about anyone is really scary and the perceived added vulnerability is preventing many organisations from fully leveraging the cloud – often they use the cloud for non-critical data such as test and development, but not for their core business applications that access their most sensitive data.
New micro-segmentation offerings provide organisations with added layers of cloud security to instil the confidence they need to put more of their applications on the cloud. In doing so, they have the opportunity for tremendous cost savings, to make their products and services more globally accessible and to dynamically adjust to business conditions in real time.
There are five security advantages these new micro-segmentation offerings provide to the cloud that have not previously been obtainable:
- Micro-segmentation enables companies to use a consistent set of tools for both their local data centres and the cloud.
- Micro-segmentation technologies provide encryption within the cloud from virtual machine to virtual machine.
- Micro-segmentation technologies use concealment as a basis for security strategy.
- Micro-segmentation prevents lateral movement of security infiltrations to the data centre.
- Micro-segmentation can prevent security breaches in the cloud.
A Business Priority
The Ponemon Institute estimates that the total average cost of a data breach to Australian organisations was AU$2.82 million in 2015. It is clear that the impact of the major breaches ensured that security is no longer just a technology issue. Instead, it is now seen as a business issue that requires prioritisation from the top down. The security function will evolve to no longer report solely to the chief information officer.
Boards will start to care and take real action and make cyber security expertise a requirement across the C-suite. Security is now a top agenda point in the boardroom as business reputations are once again at risk. Organisations will no longer be allowed to take the position of standing by and watching cyber attacks unfold – they will finally have the power to react rather than prevent. As a result, proactivity is the key word for 2016, with micro-segmentation being a major player and step in the right direction for innovative organisations that are serious about security.
Being seen to take such proactive measures is key to earning and maintaining consumer trust. For example, 58 percent of Australians expect a personal information data breach in the next 12 months at a telco, yet the majority of Australians say a data breach is not likely at a healthcare provider, airline and transport company, or bank (Unisys Security Insights research, 2015).
Many Australians have personally experienced a data breach or have seen media reports of high-profile breaches by government and telcos, so they have a low level of trust in the ability of those organisations to protect their data. Conversely, public scrutiny around the introduction of e-health records and the resulting assurances for how data would be protected has built community trust in healthcare providers’ ability to protect personal information. Airlines and other transport companies are the most trusted type of organisations. However, they will need to work to maintain this trust as they continue to capture more and more information about their passengers in a bid to provide personalised end-to-end services – including assistance with border security measures.
Consumer trust is not just a warm and fuzzy feeling – today’s customer is in a strong position of choice. It is easy for consumers to change their bank, telco, insurance provider or who they shop and fly with, as well as what channel they use to engage with government agencies. Previous Unisys research (2011) revealed that data breaches impact a consumer’s willingness to deal with an organisation. The majority of Australians surveyed (85 percent) said that they would stop dealing with an organisation if their data was breached. When asked if they would continue dealing with the same organisation but not use online services, only 24 percent of Australians said they would continue.
Next year, let us hope that 2016 will be remembered as the year businesses faced cybercriminals head on.
For a full list of references, email email@example.com