This week, as policy makers, security specialists, law enforcement officials and academics are gathered in Washington, D.C. for the three-day Reuters Summit on Cybersecurity, investigators in more than a dozen countries are still trying to piece together what officials are calling the biggest bank heist in history. As was reported last week, an international network of hacker-thieves nabbed roughly $45 million with “surgical precision” from hundreds of banks on five continents; and not one of them so much as stepped foot inside.
The massive caper underscores the vulnerability of the world’s computer networks and serves as a reminder of how far we still have to go before businesses and consumers can feel secure hosting data in cyberspace. As businesses continue to seek out the benefits of Big Data, the amount of hackable private information floating around enterprise servers is expected to grow exponentially.
Beyond the potentially destructive implications for critical industries, national security and consumer confidence, there’s reason to believe that questions about network integrity are having an adverse effect on enterprise investment in emerging technologies. Data shows that concerns over security remain the biggest impediment to enterprise cloud adoption, and for companies weighing the introduction of a bring-your-own-device (BYOD) policy; the risks are often seen to outweigh the productivity benefits. [http://blog.lumension.com/docs/BYOD-and-Mobile-Security-Report-2013.pdf]
U.S. industry is looking to the federal government for leadership. But political gridlock on Capitol Hill continues to stymie efforts to develop a universal framework for bolstering the nation’s cyber-infrastructure. So, with little movement expected at the moment at that level, it will increasingly fall to businesses to take the lead to protect themselves and their customers from data breaches.
Three of the Most Important Steps Businesses Can Take Are:
1. Educating Employees
Research shows that the primary responsibility for network breaches lies with workers. According to Verizon’s recently released 2013 Data Breach Investigations Report [http://www.verizonenterprise.com/DBIR/2013/], a full 67% of network intrusions exploited weak or stolen user names or/passwords, while four-out-of-ten stemmed from malicious code inadvertently downloaded to terminals. Meanwhile, experts have identified a new class of sophisticated, large-scale phishing called “longlining” – in which thousands of potential victims are targeted at once. Still, according to a new survey by the National Cyber Security Alliance and Symantec, 87% of small businesses still lack a formal Internet policy for their employees. Making sure employees know the risks can go a long way to mitigating the risk of a breach.
2. Cultivating Talent
By all accounts the industry faces a dearth of cybersecurity talent. According to Tom Kellermann, vice president at Trend Micro and a former member of President Obama’s cybersecurity commission, the U.S. private sector will need upwards of 40,000 new network security specialists in the near future to adequately address its cybersecurity needs; but colleges are not yet graduating enough students with the requisite knowledge. Even at the very top, skilled workers are in short supply. The Department of Homeland Security is reportedly short 600 skilled hackers, while government-wide, as many as 10,000 may be needed to address future threats. Analysts have called on government, universities and the technology industry to invest in the next generation of cybersecurity professional, but it will likely take years before the talent hole is filled.
3. Developing Post-Breach Protocol
While the main focus of cybersecurity involves front-end solutions for preventing intrusion, having a proven recovery strategy not only helps mitigate the damage of a network breach but can contribute to preventing similar breaches in the future – not to mention educating others about the risks. Unfortunately, post-breach clean up is one of the most neglected areas of commercial cybersecurity strategy. Nearly 60% of small businesses have no contingency plan governing how to respond and report data breach losses, according to the National Cyber Security Alliance and Symantec; and voluntary reporting and intra-industry collaboration is nearly nonexistent in some sectors. Developing a plan for post-mortem analysis and communicating the findings to stakeholders through a network of trusted industry relationships can help create a unified front against cyberthreats. As they say, there is safety in numbers.