- Security TWENTY
- Women in Security
A cyber security strategy needs to focus more on data protection technologies and strategies, writes Luke Brown, Vice President & GM of Europe, Middle East, Africa, India and Latam at Digital Guardian.
In the past five years the cyber threat landscape has grown exponentially. Despite developments in cyber security and increases in security budgets, nearly every week sees a new high profile security breach being reported in the media. As a result, a growing number of companies are fast coming to the conclusion that no amount of investment in security can keep them protected, believing that when it comes to combating the cybercrime threat it’s a case of ‘when, not if.’
The fact is that companies – and even consumers – are creating, storing and utilising data at an unprecedented rate, and it’s this data that the cybercriminals are after. What’s more, experts predict the attack opportunities for hackers will blossom once the Internet of Things proliferates and makes valuable data accessible from an ever-widening selection of entry points. Clearly, it’s time for a rethink. Yet a study by 451 research shows that companies continue to allocate just 1 per cent of their total security technology spend to data protection measures. And they’re paying a heavy price for focusing solely on network and device security alone.
Too much focus on perimeter-based security
Until now organisations have largely adopted a perimeter-based security strategy that’s failed to keep pace with evolving attack approaches. In 2010 companies spent nearly half of their security technology investment (44 per cent) on network security. In the same year, 761 major data breaches were recorded, compromising 3.8 million records. Physical tampering, spyware and data-exporting malware were the top three attack methods utilised, yet little spend was dedicated to protecting the very data that serves as the target for so many attacks.
In 2011 the use of stolen credentials emerged as the top mode of attack, with companies like Sony PlayStation and Steam falling victim to cybercriminals. A total of 855 major data breaches were recorded, compromising 174 million records – a major uptick on 2010 statistics – yet companies continued to invest 39 per cent of their security technology spend on network security. Despite the massive increase in attacks through the use of stolen credentials, companies continued to invest just 1 per cent in data protection.
By 2012 backdoor exploitation had materialised as the hot new threat on the block. In response to the growing cyber threat companies upped their total spend on network security to 43 per cent, with more than a fifth (21 per cent) of budgets going to database security, 13 per cent to endpoint security/anti-virus, 8 per cent to identity management – but once again just 1 per cent was dedicated to data protection.
Fast forward to 2014, during which stolen credentials, RAM-scraping malware and spyware became the most popular modes of attack employed by cybercriminals. Sony experienced yet another major breach and the overall number of data breaches experienced by companies increased dramatically. Overall there were 2,122 major recorded breaches, compromising 700 million records, yet once again companies failed to shift their security spend accordingly. In a repeat performance of previous years, network security technology investments continued to take the lion’s share of security spending at 38 per cent, with 16 per cent going on application security, another 16 per cent on database security, and 13 per cent to identity management. Contrast this with data protection, which yet again represented the lowest spending category at just 1 per cent of total IT security technology spend.
The year 2015 saw some of the biggest data breaches on record, particularly in the US healthcare sector, which is seen as an easy target due to low IT security budgets and high volumes of sensitive data. Last year’s mega breaches in healthcare tell the tale, with the top five globally – Anthem, Premera, Community Health Systems, Carefirst, and Systema – totalling just shy of 100 million records lost. Add to this the growing threat of state sponsored hactivism, and a worrying picture begins to emerge. The last 12 months has seen more than its fair share of highly targeted, state sponsored cyber attacks with China and Russia two of the major perpetrators, amongst others. It’s widely believed that many of the US healthcare attacks mentioned above were the work of Chinese espionage, particularly the attacks on Anthem and Premera.
But while attacks are growing in sophistication, many individuals and organisations are also encountering old tactics being used in more creative ways. In particular, social engineering attacks like spear phishing have become more targeted and resourceful, relying on crafty cyber sleuthing and other tricks to make their efforts even more effective. For instance, many victims of the recent TalkTalk data breach in the UK claim to have been targeted by very sophisticated phishing attacks, some occurring even before the breach was reported in the media. In one case, the perpetrators were able to slow down the victim’s internet connection before contacting them under the guise of TalkTalk’s technical support team. They then used the personal details stolen in the breach to try and extract payment information from the target.
With the Internet of Things here to stay and the growing availability of new mobile payment instruments such as Apple Pay, the possibilities for attack look set to increase. Technology is advancing apace as new ways to leverage cloud applications and mobile devices come into play. The only factor that hasn’t changed is that sensitive data is vulnerable and needs to be secured with data protection technologies and policies that follow a corporation’s sensitive data while it’s in use, in transit and at rest.
The truth is our data is no longer just confined to networks where it can be protected. And that means organisations need to turn their current cyber security strategy around, putting the focus on data protection technologies and strategies rather than network security and traditional anti-virus. Until corporations evolve their security methodologies, data will continue to be at risk.