As much as we'd like to think things have changed in the wake of WannaCry, NotPetya, and other high-profile breaches, many companies still don't take IT security seriously. It's easy to see why: Target, Sony Pictures, Equifax, and Maersk are still very much in business and doing just fine.
Have those organizations changed their protocols as a result? Undoubtedly. It takes a direct hit on an organization, with a significant financial impact, to force change. Until then, it's business as usual.
Of course, this is a tremendous source of stress for CISOs and their security teams. They're reminded daily how vulnerable the organization is: patching that is woefully out of date, remote workers with unprotected systems out in the wild, insufficient budget and resources and a lack of cooperation — or worse, direct conflict — between IT operations and IT security.
A new report on IT security from 1E, "Getting Your House in Order," finds three challenges facing IT: securing new technologies, restrictive budgets, and a lack of understanding between IT security and IT operations on how the other works. Worse yet, 90% of organizations prioritize something else (customer service, sales, etc.) ahead of IT security when it comes to budget allocation.
Short of a breach, what will it take for companies to get it together and properly protect the organization? They must do the following:
1. Acknowledge how accessible their data is. There's a general lack of knowledge about how discoverable data sets are, even in supposedly secure cloud platforms. Too many operate under the assumption that they can dump data into an S3 bucket in the cloud and it will be safe because it's on a secure platform. Cloud storage is only as secure as your protocols and endpoints used for accessing it. A single compromised user credential can provide unfettered access to your most valuable data.
2. Recognize outsourcing isn't the answer. Most companies believe by dumping their data into the cloud, they're also dumping the security responsibility onto the cloud host. They assume that buying space on Amazon Web Services or Azure is like buying an insurance policy. This is not the case; plenty of S3 buckets are left completely unsecured. Even if they were secured by the host, the data is only as secure as the points of access to it, which is why safeguarding endpoints is absolutely critical.
3. Match the value of their data with equivalent resources. Unless you're putting enough resources and investment toward protecting data, it's not going to be secure. To improve cybersecurity, over 75% of IT pros say their organization needs to invest more in software migration automation and training for IT security and IT operations teams. And more than 60% say their company needs to invest more in software patching. Clearly, there is misalignment on the value of security and the resources allocated toward it.
4. Assess the level of risk within their IT estate. Only about 60% of organizations report having a high level of control and visibility over endpoints on the network and software in use. With remote workers, local admin rights and departmental or location-based autonomy, it's nearly impossible for IT to keep up with tracking the organization's assets without some type of automated solution to do so. However, you can't safeguard what you can't see; organizations must gain clearer visibility of the IT estate in order to deliver proper protection.
5. Migrate to Windows 10. There isn't a business case for upgrading to Windows 10 beyond security. Yet, whether you pay the extended support agreement for Windows 7 or you bite the bullet and migrate to 10, you'll still be forking over the cash for endpoint security. CIOs must recognize improving security is a valid business case, and protecting the organization protects the bottom line — and potentially the financial security of the board of directors and shareholders. In fact, 58% of survey respondents believe that failure to migrate to Windows 10 by 2020 will result in "significant security risk." CISOs can use this risk potential to garner investment in making the upgrade.
6. Solve patching and bandwidth issues. The pace of updates and the challenge of limited bandwidth creates a bottleneck for many companies. If I run a financial firm and my day traders are down for an hour for a system patch, they could lose $1 million apiece. Considering that more than half of IT pros believe unpatched software is one of the main causes of security breaches, patching must become a priority. Investing in the right tools to automate the process can help overcome patching challenges and the bandwidth deficits that are partly to blame.
Bringing IT operation and IT security together establishes cohesion on the end goal. At Microsoft, not only do all of the developers have some level of security training, they also have security people sitting alongside them. They collaborate to ensure that work in progress meets the company's established security guidelines from the beginning to reduce the risk of a security flaw and prevent adversarial situations.
By educating both teams on the roles, goals, and objectives of the other, companies can leverage the full capability of their IT resources to secure the organization with an investment that reflects the value they place on security.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.