Measure and mitigate risk to build a comprehensive cyber defense
The vast majority of cyber attacks are preventable. From our 2016 cybersecurity insights survey, more than 90% of attacks are known threats, or their variants, for which software patches already exist. But why does this happen? Are enterprises not aware of their risks, or not able to fill the gaps in their defenses?
Knowing your risks
It is helpful to think of cybersecurity risk as a three-dimensional concept: a function of threat, vulnerability and consequence.
Threats exploit vulnerabilities. AT&T data shows that 90% of US organizations had at least one malware-related incident during 2016, when ransomware and distributed denial of service (DDoS) attacks soared. Ransomware exploits vulnerabilities in software, giving hackers an entry point to encrypt data and demand payment to unlock it.
DDoS attacks, while traditionally disruptive, are also increasingly being used as leverage for extortion. We also found that 65% of financial services companies had experienced an advanced persistent threat (APT) incident last year. In this scenario, the hacker targets your network and enters without detection to monitor and steal information over an extended period of time, perhaps even years.
Vulnerabilities can be software bugs and design flaws, risky user behavior and other gaps in your cybersecurity defenses. Hackers constantly look for these gaps: the AT&T network detects 5 billion vulnerability scans a day, and blocks malicious scans and malware events to protect customers. In 2016, 80% of organizations reported at least one security incident caused by an insider, often inadvertently via an unsecure Wi-Fi network, for example.
Internet of Things (IoT) devices are a growing vulnerability. Gartner estimates 20.4 billion connected things will be in use by 2020. While most are open to attack today, there will be more connected things to secure in a few years. Enterprises can also be made more vulnerable through growth by acquisition, and by asset digitalization and cloud adoption, if these are not carefully handed.
Consequences encompass legal measures, asset losses and brand impact, though the latter is hard to measure. If your CEO has her phone hacked and it contains work-related emails so that sensitive customer or employee data is lost or compromised, disclosure may be legally required, but what would this do to your corporate reputation?
Every business has a different level of risk. For some, compliance issues loom large; for others, cloud adoption is an unnecessary complication. What is true for all, however, is that while threats are often beyond our control, vulnerabilities can be managed and reduced. We can mitigate and transfer risk, but not eliminate it completely.
Evolving your approach
The threat landscape is changing as organizations become more digital, transition to software-defined networking (SDN), and rapidly adopt cloud and IoT technology and mobile devices. Security measures need to evolve in tandem. To manage existing and new risks demands new solutions and new security skillsets. In this environment, adaptive security is now coming into its own and offers a continuous response. It has three components:
- Contextual awareness. Collecting information from different sources enables you to make more accurate decisions faster.
- Automation. When change comes as quickly as it does today, while experienced security expert is still a key factor for reducing false positives, automation does improve detection and response time significantly to contain the loss or destruction.
- Integration. Security silos are a sweet spot for motivated cyber criminals. Security solutions need to be integrated.
At AT&T, for example, we work with more than 90 organizations to collect threat intelligence and we apply machine learning to this data to help us identify attacks immediately, or in some cases, to see them coming. We are also in the midst of transitioning to SDN to provide a faster response and more integrated solutions for customers: 75% of our network should be virtualized by 2020.
Defending against threats
To begin building a comprehensive cyber defense, enterprises need to first review and prioritize current risks to provide a direction for security investment. In our experience, web and email are two key areas that every business, no matter what size, needs to pay more attention to. Regular patching and backups, highly secure access control and having an incident response plan in place are fundamentals that you cannot ignore.
With an understanding of your known risks, you can then consider your upcoming business plans to determine what may need to be done now to ensure that these do not compromise security. For example, an IoT project will increase risk. However, a multi-layered approach to security that protects data in transit and at rest, from the IoT endpoint to the application, helps reduce vulnerability to mitigate this risk.
Expert support can be of great value in evaluating threats, predicting risk, reducing vulnerability and preparing to react quickly and effectively when threats materialize.
Article by Sharon Chan, regional security director, Greater China, AT&T.