A Strategic Approach to Cyber Security Spending

Cyber security technology is continuously advancing to meet evolving threats and many organizations have increased spending on cyber security programs to mitigate risk. Unfortunately, the technical progress and increased spending haven’t always translated into better protection. Breaches and ransomware are still grabbing headlines.

The underlying problem, according to Mark Sangster, Vice President and Industry Security Strategist at eSentire, an IST strategic partner for cyber security solutions, is how business leaders perceive the role of cyber security. He says, “Too many companies look at cyber security as a toolbox. Cyber security is not an IT problem to solve, rather, it’s a business risk to manage.”

One of the biggest challenges that companies face is the communication gap between technical experts—those who understand what cyber threats look like—and the business leaders who don’t. “Often it’s the business leaders that get in the way,” he says. “They don’t understand the threats, or they labor under the misconception that they’re not the type of business cyber criminals target.”

These misconceptions put technical leaders at a disadvantage because they’re not able to map a specific threat to a specific business risk in a way that justifies a business investment.

As a result, organizations construct a patchwork of cyber security add-ons that result in too many tools to manage and too much noise for security teams to keep up with instead of building out solutions strategically based on an understanding of what the biggest risks are and what the worst outcomes can look like.

Using a strategic approach to risk management, organizations can better align cyber security spending with existing budgets and resources.

Getting a sound footing in managing cyber risk starts with going back to basics and ensuring your organization has alignment in how risk is defined and how it’s managed. Tia Hopkins, Field CTO and Chief Cyber Risk Manager at eSentire says, “It’s about calculating risk based on the financial value tied to assets at risk in order to prioritize risk. Choosing the right framework can be a challenge. And I find that’s where a lot of organizations fall short.”

Define Your Risk Framework
Before delving into technical decisions, organizations should start by answering basic business questions by defining the organization’s “risk appetite” and “risk tolerance.”

Risk appetite is the type and amount of risk that an organization is willing to accept in pursuit of driving value in their organization. Hopkins says, “Risk appetite becomes the framework for how you’re going to approach risk management in general.”

Risk tolerance is more at the per-risk level, where organizations determine how much risk they’re willing to accept for a specific risk.

The combination of the two is the company’s risk posture and becomes the baseline for security teams to identify the risks and vulnerabilities associated with critical assets, and then prioritize action to mitigate these risks.

Prioritize Risks
With a risk framework in hand, eSentire recommends running a risk assessment to determine where the risks are, which could be tied to specific threats, specific vulnerabilities, or a need for regulatory compliance.

Sangster says, “Create a prioritized list of risks based on things like risk tolerances, and once you do that, you know what it is you’re trying to achieve.” Then start mapping priorities to the right strategies, tools, experts or other resources that will mitigate risk based on your risk posture.

Sangster says one of the best ways just to start this conversation is to run a security awareness session with the executives to help them see at a high level what some of the risks and threats are.

Sangster says, “By running a simple simulation exercise of a breach, they start to see that there’s a lot of business decisions to make.” For example, Will we have to disable a certain service? And if so, what effect will that have on the business? Will it affect our customer base when it becomes public? What are we obligated to report on?

Establish KPIs
Once strategies and tools are in place to address prioritized risks, organizations need a way to know that they’ve made progress in mitigating risk.

Hopkins says, “This is where companies like IST and eSentire add a ton of value to the organizations we work with because KPIs and metrics are huge.” She says identifying the right KPIs to track can be difficult.

“It’s difficult to establish a standardized framework for how to measure because organizations are going to have different priorities, and different concerns that bubble up to the top of their list over others as you go from company to company, or industry to industry,” she says.

It depends on the maturity of the overall program. For example, you can measure how well you’re identifying and closing the gaps on vulnerabilities, or how much better your users are at recognizing phishing emails. It comes down to what the focus of the organization is.

Hopkin says, “If you can’t measure it, then you really won’t know how well it’s working. So it’s critical to establish those KPIs to know how well you’re doing, where you need to improve and demonstrate the overall effectiveness of your program to business leaders.

Align Spending with Risk
More spending on cyber security doesn’t always result in better protection. To ensure that your cyber security spending results in real protection, contact IST to learn how you can maximize protection within your current budget.

Prioritize and Remediate Network Vulnerabilities Today

With the recent rise of cyber attacks making big headlines, organizations are becoming more aware of threats to their data and are taking steps to shore up their cyber security. Not only are attacks on the rise, the number of ways cyber criminals can launch an attack has expanded, making it a challenge to know where to start in shoring up vulnerabilities. One of the biggest risks organizations face is a network compromise that leads to a ransomware attack, which can cripple operations and be very expensive to remediate.

Innovation Is Amplifying Vulnerability

The upward trend in network attacks is largely fueled by the rush to enable remote work as a response to the global pandemic. In the early days of the pandemic, the priority was to maintain business continuity with less emphasis on securing remotely-accessed data.

In addition, the proliferation of IoT devices has expanded the attack surface (all the points on your network where an attacker can possibly infiltrate), giving bad actors more ways to gain access to enterprise networks.

Security Systems May Be Vulnerable

These IoT devices include physical security devices such as access control sensors. These physical security devices live on the enterprise network and must be protected just like any other network device. Many times, these devices are overlooked because of the blurred lines of ownership between physical security departments and IT departments. The same can be said for industrial controls systems, or any new technology that adds IoT devices to a network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) summarizes the situation in a recent report, saying, “The adoption and integration of IoT and industrial IoT devices have led to an increasingly interconnected mesh of cyber-physical systems, which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.”

In short, more network devices result in more vulnerabilities. When not deployed properly, these devices can be a dangerous gateway into a company’s network, as hackers only need one access point to launch an attack.

Older technologies are also vulnerable. Many legacy network devices are misconfigured in a way that can provide an easy opening for hackers. Or, they’re so old they don’t have built-in modern security features.

Another popular line of attack is gaining access to data from a third party, such as a business partner. Organizations share data with partners and suppliers regularly, and even if your security posture is rock solid, your third-party partner may not be.

Tracking Down Vulnerabilities Isn’t Easy

Amidst all these vulnerabilities is the fact that physical security, cyber security and IT teams are stretched thin to maintain operations, let alone take on a big challenge to find and remediate vulnerabilities. In most cases, organizations don’t have the bandwidth to evaluate their networks, understand which vulnerabilities pose the biggest risks and take action on the biggest weaknesses.

The ability to prioritize vulnerabilities is key. For many organizations, the difference between all possible vulnerabilities and vulnerabilities most likely to be exploited can number into the thousands.

This is where expertise, the proper tools and experience can make a big difference in a vulnerability management program. Because patching every vulnerability isn’t efficient, necessary, or even possible.

How IST Can Help

Getting your hands around the growing complexities of network vulnerabilities often requires outside help from a security provider that has the tools and expertise to find and sort out the biggest threats to your data security.

IST’s trained, experienced security analysts can perform a comprehensive vulnerability assessment of your current network infrastructure and systems, including switches, routers, servers, desktop computers and applications. Our service hunts and collects threats across your network and can also identify third-party threats. We use the latest scanning tools to automate the process and we manually validate key vulnerabilities. We also ensure that your software, firmware and hardware are up to date as possible, along with monitoring your environment for malware and other attacks that may be lurking in the background.

The result is a prioritized list of vulnerabilities that reveal the biggest threats to your data, along with a plan for remediation.

The threat to data is real, and the problem is getting bigger. Hacking is now a big business with as-a-service hacking platforms available to automate attacks at scale and state-sponsored attack programs that target critical services and infrastructure. We encourage organizations to contact us sooner rather than later, because the next big attack may be on your network.

The Security Industry’s Cyber Problem

This article appears in the September issue of SDM Magazine. You can read the full post here

IST’s Chief Strategy Officer Michael Ruddo was interviewed by SDM Magazine to discuss the convergence of cyber and physical security. “Today’s physical security systems are connected to an IT network, making cybersecurity a foundational element of any on-site security protocol,” says Ruddo. Read more on https://www.sdmmag.com/articles/99859-the-security-industrys-cyber-problem.

Government, Industry Take Important Action to Attract Cybersecurity Workers

As U.S. cybersecurity risks become more intense, it’s essential that an adequate workforce exists to safeguard the American people and their physical and online assets.

Yet there is currently a shortage of about 4 million cybersecurity workers worldwide, an increase of more than 1 million from 2018, according to (ISC)², a nonprofit providing cybersecurity certifications. To properly defend American organizations from cyberattacks, the workforce needs to grow 145 percent—by about 500,000 professionals—to fill the gap, according to the nonprofit’s findings.

Fortunately, Congress is taking an important step to expand the cybersecurity workforce and provide the necessary training and education. Legislation was introduced by four U.S. senators this month that provide resources to recruit and educate the next generation of cybersecurity workers. Specifically, The Harvesting American Cybersecurity Knowledge through Education (HACKED) Act—or the “HACKED Act of 2019” aims to “bolster existing science education” and cyber programs within the National Institute of Standards and Technology, National Science Foundation, National Aeronautics and Space Administration, and the Department of Transportation. Similar legislation already has been introduced in the U.S. House.

In addition to the legislation, major companies like Google, Facebook, IBM, Verizon, and Apple are taking action to close the cybersecurity jobs gap. They have joined a coalition called the Aspen Cybersecurity Group to encourage employers to place more emphasis on “real-world” skills vs. academic degrees so that more workers are considered qualified to fill crucial positions in the security industry.

Integrated Security Technologies is encouraged by the commitment of industry and government to narrow the cybersecurity workforce gap. We are dedicated to securing people, property and data through unique yet integrated security solutions. Our mission is absolute protection. To properly protect all of our environments and endeavors, we need the continued support of our elected officials and leading mobile and technology companies. Let’s continue to get serious about cyber threats and the shortage of workers needed to confront this urgent challenge.

Cybersecurity: What You Need to Know to Protect Your Business

There’s still no end in sight to the constant onslaught of cyberattacks on today’s businesses, both large and small. Although we’re bombarded with headlines about the big breaches, small businesses are just as vulnerable. The 2018 Hiscox Small Business Cybersecurity Report tells us that 47 percent of small businesses experienced an attack in the past 12 months and 60 percent of these companies then folded within six months – yet just 52 percent of businesses have a cybersecurity strategy.

While most businesses understand the importance of a strong cybersecurity strategy, they may not truly understand the why – how strong security equates to better business outcomes, like solid financial health, a good reputation and high marks for customer satisfaction and trust. Leaders must make this connection clear so more businesses are spurred to action.

Here are five of the latest strategies that bad actors are using to penetrate companies’ valuable data. Take some time now to make sure you’re prepared as these risks evolve; as the statistics show, no company or organization is immune, and the risks accelerate as new threats proliferate. Staying on top of these latest threats is one of the surest ways to keep your company cybersecure:

  1. Fight Mobile Malware – Since mobile device usage is barreling towards computer usage in terms of web visits and email access, mobile devices are also extremely vulnerable to malware. Although many companies try to prepare for this with security patches, they run into privacy concerns that stunt these attempts. Android bases are most at risk since a large majority of the devices are running older versions of the program that are vulnerable to attack. To remedy this, companies can provide anti-malware solutions for their mobile devices.
  2. Secure Your Internet of Things (IoT) Devices – We’ve covered this at length in previous blog entries. IoT devices compound security threats because they are networked, and thus exposed to attacks through the internet. As companies add more and more devices to their systems, including smart devices to manage HVAC, electricity, security and more, the threats multiply. These devices are made by different manufacturers and have varying levels of security. It’s important to devise a strategy to inventory and properly manage the security features of these devices to prevent breaches.
  3. Beware of Cryptojacking – We’ve seen the destruction that ransomware can wreak on companies and organizations with networks that are not properly protected or backed up. These large ransom sums make big headlines, and paying the hackers doesn’t always guarantee the safe return of stolen data. It’s a pernicious threat that affects all types of companies, municipalities and other organizations. Cryptojacking is a maneuver that takes ransomware one step further. Deploying malware technology strains that are very similar to the Petya and NotPetya strains of ransomware, criminals mine for cryptocurrency in the background while your computer is running other programs. Known as cryptomining or cryptojacking, it’s a threat that no sized business is exempt from. Anyone with a network can be at risk.
  4. Implement Secure Cross-Site Scripting – According to Forrester, cross-site scripting, or XSS, comprises 21 percent of current vulnerabilities. This weakness can be addressed when sites are developed, but often companies fail to do so. XSS attacks use content sharing websites like blogs, video sharing sites or message boards as a weapon by enabling hackers to add their own code into a victim’s browser, interact with the victim under the guise of that trusted site, then extract the cookie information that helped authenticate their account. Bad actors with this access can also steal other valuable information, change page content, deploy trojan horse viruses or perform other malicious acts. For your own site, the first protection is prevention, with careful attention to this risk during website development. To fix sites that your employees access, try using a bug bounty program that identifies and publicizes attacks.
  5. Prepare for Geopolitical Risks – Even though a company might not conduct business internationally, chances are that its vendors do. This is one of the most insidious and increasing pathways into organizations, as vendors share emails and other communications that open up a way for bad actors to pounce. In addition to working with international vendors, many businesses store their data in international sites that are vulnerable as well. While geopolitical risk was a more physical concern in years past, it is very much a cyber one now. Hackers around the world are actively trying to breach networks and cause damage to companies here in the U.S.. Again, no one is immune from these attacks. Be aware of what you share with vendors and ensure that your data is stored in a safe site.

The cybersecurity landscape is changing all the time. If you have concerns about these or other cybersecurity threats, you can reach us here.

Most at Risk, Yet Least Secure: Why Hospitals Need Stronger Cybersecurity Now More than Ever

In a post last year called “Are There Holes in Healthcare Cybersecurity?” we covered the growing discrepancy facing our healthcare system. Although this information-rich industry is one of the most desirable targets for cyberhackers, it’s also one of the least protected from them, especially when it comes to the amount of money devoted to cybersecurity budgets.

Whereas the medical field generally allocates about 5% of their total IT budget towards security, Gartner tells us that other industries like financial services companies spend 7.3%, retail and wholesale companies spend 6.1% and insurance companies spend 5.7%. In fact, for the thirteen analyzed industries, the average spend was around 6%. This disparity is causing many headaches for healthcare companies across the nation, especially since they experienced deadly data breaches that affected more than 59% of the U.S. population in the last decade. And it’s an upward moving trend. One breach per day is being reported.

This problem is perhaps most notable in Illinois right now, where 27 healthcare providers and companies suffered data breaches just in the past two years, ensnaring at least 500 patients. Rush University Medical Center, a nationally renowned hospital in Chicago, recently experienced a breach that compromised the sensitive information of 45,000 patients.

What Healthcare Facilities Have that Hackers Want

“They [hospitals] have the holy grail of personal data in their systems,” said Mark Greisiger, president of NetDiligence, a cyber risk management services company. Hackers usually seek black-market profitable records like social security numbers, health insurance information and medical records; these are used to open other accounts that destroy the victim’s credit. In Rush University Medical Center’s case, names, birthdays, social security numbers, addresses and health insurance were captured when one of the hospital system’s billing processing vendors sent a file to hacker.

Now compound that mistake with the sickening reality that this information is constantly flying around networks as its shared among hospitals, other healthcare venues, vendors, billers, insurance companies and other groups. A hacker’s opportunities to exploit these sometimes unprotected networks by deploying ransomware, phishing or otherwise leveraging some other entry point into the system become exponential. In Rush’s case, it was the vendor that proved to be the weak link. This is quite common. Over 20% of past breaches occurred when a vendor, consultant or other third party shared sensitive information with a criminal party.

Can Bigger Budgets Make it Better?

So why aren’t budgets aligned with these challenges? If you add the increasing budget pressures associated with providing excellent patient care, many times these cybersecurity budgets get relegated to the back burner. The Illinois Health and Hospital Association reports that 36% of Illinois hospitals are operating in the red. Unless there is a recent breach that hits close to home, cybersecurity budgets are often skipped in favor of the proverbial squeaky wheels.

Yet all of this may be changing. More than 38 percent of health care organizations have increased cybersecurity spending over the previous year, according a survey done by Black Book Research. Some systems, like Advocate and Amita Health, which has 19 hospitals in Illinois, have hired executives dedicated solely to data security.

Sometimes even money can’t help. In these cases, education is one of the strongest weapons. When employees are aware of phishing tactics they can more effectively thwart them. Patients need to be careful too. Many times, they’ll receive what looks like a legitimate email from a respected company that prompts them to share their sensitive information – or even download malware that allows hackers access to the network.

It’s an ongoing battle that this industry knows too well. But when critical information – and ultimately lives – are at stake, the dedication of time, education and money is well worth it.

Learn more about healthcare cybersecurity by visiting our website.

SIA 2019 Security Megatrends 3 & 4 – What You Need to Know

This post, we are doing a deeper dive into SIA’s 2019 Security Megatrends 3 and 4. Let’s begin with Megatrend 3 …

Megatrend 3 – Is Security Keeping up with Cloud Computing?
Are cloud computing and security on par? The short answer is no, at least according to widely held perceptions. The residential and consumer markets have faith in cloud security, especially since they’re more focused on the cloud’s unparalleled convenience and ease of use; however, on the commercial front, possibly because there’s more at stake, businesses are skeptical.

The SIA’s 2019 Security Megatrends report quotes Harry Regan, the Vice President of Securicon, as saying, “Everyone thought the cloud would be more secure, and it wasn’t. That reality and some of the data have kind of made some chief information officers a little gun shy of new things.”

They have several reasons to worry about cloud computing and security:

  • There’s a lack of regulatory compliance standards, which is not acceptable to high-risk and government users and prevents further adoption.
  • They’re not sure how and if it’s possible to ensure privacy by permanently segmenting and removing some customers’ data.
  • There could be an about-face. If cloud computing loses favor as a safe method of security management, companies will seek other solutions.

Despite the perception, many respected companies trust in the cloud. Without the cloud, digital driven Netflix, Pinterest, Dropbox and so many others contend that they couldn’t operate their business models as efficiently or as securely. Physical security continues to move to the cloud model as well, migrating to SaaS, cloud computing and managed services. These entities are attracted to its convenience, scalability, safeguards, efficiencies and other benefits.

By 2022, IHS Market predicts, the global off-premises cloud service market revenue will reach $414 billion. If the cloud is not secure, this will pose astronomical cybersecurity issues.

Will Edge Computing Edge Out the Cloud?
In recent years, edge computing has become more popular due to new generations of technology and increased flexibility. Edge computing refers to a distributed computing model where the large majority of computations are made on nodes like smart devices, IoT or edge devices, versus the centralized cloud. They are so named because of their proximity to an enterprise, metropolitan or other network, not the cloud. Since the server resources, AI and data analysis are closer to the data collection source, edge computing helps platforms like smart cities, ubiquitous computing and physical computing as well as applications like AR, cloud gaming and the IoT.

What at first seems like the antithesis to the centralized distribution of the cloud may actually be a synergistic force. The SIA report predicts that cloud computing and edge computing will develop concurrently and synergistically, since cloud services will be managed on centralized servers as well as in distributed servers on premises and also on edge devices, which are growing more stable and reliable.

Only the future can tell which way cloud and edge computing will grow.

Megatrend 4 – The Security Skills Shortage and 5 Ways to Overcome It:
The challenges of workforce development and finding skilled security professionals at every level is a new trend for the report, but it’s no less important, especially since it clocks in at number four.

The overall job unemployment rate is at an all-time low, so this troubling security skills shortage trend is an anomaly. Even though security is a high-tech industry, it’s not always recognized as such or give that cache. Add in the relatively new fields of cybersecurity, AI and privacy expertise to the traditional IT and networking skillset, and it becomes even harder to find the right people.

According to the SIA report, filling the pipeline with younger workers may be the key to counteracting this dilemma. Most importantly, the industry needs to re-frame its image as progressive, innovative and IT-centric to make it imminently more attractive to job seekers.

Five Ways to Overcome the Deficit:
Provide Big Picture Benefits: Security jobs must promise work-life balance and the potential for growth that other industries are offering.

Leverage AI: Your HR team can use AI to screen candidates, automate interview scheduling and even ensure constant contact throughout the hiring process.

Try the Gig Economy: This model is thriving, and is a great source of talented workers that can be tapped long term or even temporarily.

Partner with local colleges and technical schools: You’re the experts in your field. Share this knowledge with schools by providing lecturers so you can engage new talent first hand.

Start at the Beginning: Focus on entry-level positions and then increase expertise with in-house training to ensure that their training is current and applicable.

These two trends will make a big impact on the security market this year. Both suffer from perception issues. It remains to be seen whether they can be readily addressed to pave the way towards both greater cloud adoption and greater security workforce numbers.

SIA 2019 Security Megatrends 1 & 2 – What You Need to Know

The next set of blog posts will explore the SIA’s forecasted 2019 Security Megatrends in order of importance. We are going to dive into Megatrends #1 and #2 in our first post.

Megatrend 1: 8 Smart Ways to Integrate Physical and Cybersecurity
Cybersecurity’s impact on physical security moved from the number two spot in 2018 to claim the number one security concern in the new year. This year will continue the escalating arms race between security professionals and cybersecurity criminals.

Several newer cybersecurity threats are forecast to dominate the landscape. According to “The Cybersecurity Imperative” produced by ESI ThoughtLab and WSJ Pro Cybersecurity in partnership with the SIA and other organizations, AI, the IoT and blockchain technologies, in conjunction with the proliferation of open platforms, will be the largest risk factors in cybersecurity. This comprehensive report also foresees most risks coming through electronic interactions with partners, customers, vendors and supply chains as businesses become more interconnected.

How do you secure both your physical and cyber assets against these growing threats? The following provides 8 ways to best integrate physical and cybersecurity:

  1. Nix default passwords in your software and equipment: This is one of the top ways for hackers to install malware, phish for information or deploy ransomware, all potentially devastating ways to access your network.
  2. Test and test some more: Software, hardware and other products, whether they be IoT or another, benefit from a thorough testing period. Ideally, you should test multiple times and have a third party test them as well.
  3. Know your risks: Use a monitoring program that tracks and reports vulnerabilities, or hire a security company to help you with this important task. Then prioritize the list and devise a plan for addressing all risks.
  4. Dive into your software and firmware: Are your updates up to date? Do you know who’s using your software and firmware? Run regular reports to catch any vulnerabilities and only grant access to authorized users.
  5. Designate a central command: Create a security resource center for your customers and security integrators to keep everyone on the same page. Where there are communication gaps, seek to fill them. Silos can breed security breaches.
  6. Educate, educate, educate: Ensure that your security training program is up to speed and that all employees receive ample and ongoing training.
  7. Start early with cybersecurity: Build cybersecurity into every product development cycle. When you integrate it early, you can find holes.
  8. Repeat: Cybersecurity risks aren’t going away. As they get stronger, your security needs to be strengthened too. Stay ahead of the curve. Keep learning, tweaking and improving.

These steps go a long way towards securing both physical and cyber spaces.

Megatrend 2: Top Challenges and Opportunities as the IoT and Big Data Converge
Big data is big business. A recent Accenture study showed that 79% of enterprise executives believe that companies that do not embrace big data will lose their competitive positions and even face extinction. On the flip side, 83% are embracing big data to gain a competitive edge.

Data continues to mount as more and more devices join this data collection party. From drones to robotics, to SaaS to the IoT, connected devices and platforms are generating data at an alarming speed, which makes it difficult to properly protect. When it comes to crucial information like healthcare, financial or other sensitive information, security becomes the ultimate challenge. How do we keep this data safe as the Iot and big data converge so that we can use both to benefit our businesses as well as our lives?

Let’s break down the challenges and opportunities:

Challenge: By 2020, Statista predicts that there will be between 6.6 and 30 billion IoT connected devices. With more data comes the need for more ways to communicate that data to the end user and responding authorities efficiently and securely.
Opportunity: Analytics and AI to the rescue. With these superpowers, it’s infinitely easier to parse and digest big data. As more devices collect information, these newer technologies can help enterprises put the information to work. On the security front, this equates to faster response times for security system users and the responding authorities.

Challenge: The IoT and other smart platforms provide an easy way in for potential hackers to breach the physical-cyber security connection. Any connected devices are at great risk, and open connections make them even more vulnerable.
Opportunity: If set early, the enabling data analytics function yields safer and more productive data generation. For instance, certain types of dashboarding and IoT enablement facilitate this. With better built in protection, these devices can counteract various threats.

2019 promises to be a year of big changes for as IoT and big data converge. The companies that seize these trends and the opportunities that go with them will be the ones that come out ahead.

The Cybersecurity Apocalypse: How to Protect Your Business from Cyber Attacks

ESI ThoughtLab and WSJ Pro Cybersecurity recently teamed up with a group of other thought leaders to bring us The Cybersecurity Imperative, a rigorously researched reportthat continues to raise the alarm that cybersecurity is the most important security priority we face today and heading into the next few years.

U.S. Homeland Security Secretary Kirstjen Nielsen, reiterates this: “We are facing an urgent crisis in cyberspace. The CAT 5 hurricane has been forecast, and we must prepare.” According to the report, cybercrime will be a $6 trillion annual expense worldwide by 2021, exceeding the GDPs of both the UK and France.

One overarching security challenge is the dearth of shared best practices and benchmarking among governments and corporations on how to prevent and how to survive a cyber attack. This interactive report seeks to remedy that, and this post distills the most important and actionable information for your use:

1. Beware of Digital Backlash: Companies adding new technology, using open platforms or connecting with partners and suppliers open up new channels for hackers to disrupt faster than they can be secured. Firms are already battling malware (81% reported this), phishing (64%), ransomware (63%), viruses (62%) and app attacks (62%). In the next two years, new issues will arise through customers, vendors and partners’ channels (+247% from them and +284% to them); supply chains (+146%); denial of service (+144%); apps (+85%) and embedded systems (84%).

With the digital backlash coming from technology growing faster than our ability to secure it, the chances of a major cyberattack, which racks up over $1 million in losses, are much greater. Enterprises with stronger cybersecurity measures in place can expect to weather a 17 percent chance of such an attack; whereas less sophisticated systems face a 27 percent chance.

A new piece of malware is released every day within 4.2 seconds. One of the problems that CISOs face is how to combat the sheer volume of malware bombarding us.” Vali Ali,VP, Fellow, and Chief Technologist –Security and Privacy for Personal Systems, HP

2. Watch the Insiders: It’s the internal threats that are most insidious. External issues like unsophisticated hackers, cyber criminals and social engineers do pose problems for firms. However, 90 percent of firms believe that untrained general (meaning non-IT) staff are their biggest liabilities. More than 50 percent think that partner and vendor data sharing will be their biggest vulnerability. Onboarding of new technology and shadow IT projects are also attractive hacker entry points and ripe for insider mistakes. Meanwhile, lack of training is rampant. Less than 20 percent of global companies have adequately prepared their staff and partners for these inevitabilities.

3. Consider Boosting Your Cybersecurity Budgets: Fortunately, many firms are anticipating these risks and planning accordingly. The largest increase is by platform companies (58% greater than last year), followed by energy/utility companies (20% greater), technology (15% greater) and consumer markets (14% greater). Across industries,cybersecurity budgets grew 7 percent over the past year and are on track to increase by 13 percent next year.

4. Compare Budgets by Location and Size: Companies in China, Singapore, Argentina, the US and Canada are planning to exceed the average rate of a 13 percent increase. Companies under $5 billion in revenue will increase cybersecurity spending at almost triple the average. Companies with less than $1 billion in revenue plan to bump budgets by 33 percent and those with $1-5 billion by 30 percent.

5. Prepare to Fund More Cybersecurity Strategies: In the next two years, firms will depend more on behavioral analytics (18x more), smart grid technologies (9x more), deception technology (7x more) and hardware security and resilience (more than 2x more). Currently, 90 percent of global firms use multi-factor authentication, 68 percent employ block chain, 62 percent rely on the IoT and 44 percent deploy AI.

6. Shift Your Focus from Prevention to Resilience. The National Institute of Standards and Technology (NIST) provides an important guide to achieving cybersecurity through these five steps:
1.   Identify
2.   Protect
3.   Detect
4.   Respond
5.   Recover

In this study, companies emphasized “protect” and “detect” at 27 percent and 24 percent respectively. Next year, these firms expect to move some of the budget from “protect” to “respond”and “recover.”

7. Evolve Your Security Roles: Enterprises entrust cybersecurity to those with higher leadership roles as the stakes get higher. Companies that are considered cybersecurity leaders are far more likely to have a CISO handle cybersecurity than companies considered cybersecurity beginners. For beginners and companies with under $1 billion in revenue, a Board tends to oversee cybersecurity initiatives.

Surviving a Cybersecurity Catastrophe
To address these pressing issues, there are several key actions you can take now. Most importantly, you can make cybersecurity a priority in your plans and budgets. It’s wise to integrate cybersecurity into every stage of your digital growth plan and continually track its ROI (both directly and indirectly) to address the effects of digital backlash. All teams that handle innovation should be included to avoid creating stale silos that don’t share important information. Make sure that you all stay on top of these trends as the year unfolds.

For more ideas on surviving the Apocalypse, see our recent blog post.

IST designs, implements and supports sound cybersecurity strategies at the top levels of government and for companies at every stage in their security development. You can trust us to help you stay ahead of the cybersecurity curve. Read more here.

7 Ways to Advocate for Increased Cybersecurity at Your Workplace

Did you know that cyber attacks are now the third biggest threat to humanity after natural disasters and extreme weather? The stakes are high, especially at your business. Cyber threats abound, and while most companies intuitively sense that they need to tighten security measures, many have tightened their belts against these expenses when more palpable operational priorities take precedence.

This is a big mistake. The National Cyber Security Alliance tells us that 60% of small- and medium-sized businesses that suffer a cyber attack go out of business within six months of the event. Larger companies may not succumb as easily, but they endure tainted reputations as well as stiff penalties and fines.

The 2018 Global Information Security Survey shows that 89% of companies worldwide believe that their “cybersecurity function does not fully meet their organization’s needs.”

If you’d like your company to strengthen their cybersecurity efforts by partnering with experts in this field or purchasing hardware or software to counteract threats, here are seven effective ways to present your case for increased cybersecurity in the workplace:

1. Start with Statistics: It’s hard to argue with facts. Cybersecurity statistics are especially convincing. Ponemon’s report on “The True Cost of Ransomware” shows that employees unable to work are the biggest financial drains incurred from a data breach. Compromised networks and non-working computers force employees to be idle for long periods of time. While the attack might cost $5 million to fix, this includes $1.25 million (25%) in system downtime and $1.5 million (30%) in IT and end user productivity loss.

2. Know your Audience: If you’re addressing the C-suite, Board of Directors or colleagues in other executive positions, make your points vis-à-vis the company’s financial health. At these levels, bottom lines and business-building functions take top priority. Since cyber threats pose serious risks to both, you’ll want to make that important point. Consider your language here, too. If you avoid technical jargon like “incidents detected” and substitute “anticipated savings” and “prevented monetary loss” instead, you’ll be speaking their language.

3. Clarify Costs and Benefits: Leverage a cost-benefit analysis to sell the proposed benefits of the cybersecurity measures that you’re recommending. While your expertise may be within IT, your colleagues may be focused elsewhere. It’s your responsibility to educate them on the potential costs and benefits of a cybersecurity upgrade. Can you make the case for 30% increased resiliency? You can use the NIST Cybersecurity Framework to help determine your specific goal.

4. Cover Compliance: If your industry must adhere to certain rules of compliance, proving that these new cybersecurity measures will ensure compliance goes a long way towards getting buy-in. Regulations like HIPAA, HITECH and others can cause serious issues if not addressed properly by your business.

5. Provide a Cybersecurity Snapshot: By assessing your current cybersecurity measures and providing penetration and breach opportunity statistics, you’ll reveal the vulnerabilities that can be exploited at any moment. Prioritize these risks by order of importance and present workable cybersecurity solutions to address and overcome them.

6. Tap a Third-Party Opinion: If you’re having trouble making your case for a cybersecurity upgrade, it can be helpful to have a third party weigh in with an audit or other non-partial analysis. You can deploy a security consultant, and the ROI will more than justify the effort since these reports generally carry more weight in the recipients’ eyes.
7. Leverage a Leave Behind: Create a report in layman’s terms that can be easily shared to eliminate any potential confusion as your pitch makes it through the ranks. You may not be at the next crucial meeting, so you’ll need this document to persuade for you.

You already know how critical strong cybersecurity in the workplace is. If you need additional resources to help your company get on board for increasing safety and security in the workplace, we’re here to help.