Dealing with 21st century cyber risks requires a detailed plan of action and buy in from the C-suite to the most casual of end users. While most enterprises have nailed the “here and now” of cyber security, there are larger threat trends that deserve high-level attention.
Our recent Blueprint on trust-enabled security services (HfS Blueprint Report: Trust-as-a-Service 2015 and Provider, Provider on the wall, who’s delivering Trust for Digital?) highlighted the strengths and weaknesses of both enterprises and services providers in dealing with today’s increasingly intense level of cyber threats and overall security risk. Our research leading up to this report uncovered a number of trends and challenges that are particularly problematic for the industry at large – challenges that must be addressed strategically from the top-down to ensure that enterprises are not losing sight of the larger picture as they engage the threat at the tactical level.
Six Strategic Challenges
- The Risk of “Mass Risk”: Attacks with the ability to both target an extremely large number of individuals (millions) AND inflict a serious (without recourse) level of impact are on the rise, increasingly resulting in long-tail damage that goes beyond the initial attack – OPM, T-Mobile/Experian, Ashley Madison, and Anthem are good examples. One common theme involves the behavior of the hacked entity – putting information “at risk” and potentially easier for the hacker to exploit. Technology can mitigate risk, but cyber security solutions MUST involved improved enterprise/corporate awareness and behavior.
- Phishing 2.0 (the Spear): Much in the same way marketing firms benefit from the high level of personalized information and data available through the web, hackers have begun a wave of highly personalized phishing attacks that often span multiple channels and with an intent to sweep up a broad range of unique data. This initial target of this type of attack may NOT be the final end game, but rather a means for a hacking entity to gather additional information that puts an enterprise itself at risk. Omnichannel Spear Phishing is on the rise, and the risk must be addressed from both an individual and enterprise perspective.
- Sponsored Cyber Attacks: Personal information is still the target of choice for most hackers seeking personal gain, but the increased use of well-funded (sponsored) teams to gather economic, infrastructure, and military/political information (for future exploit) is rapidly becoming a significant strategic challenge. All enterprises need to be cautious regarding this type of threat, and recognize that the impact of lost data over time (data that can be aggregated easily organizations with deep resources) can be staggering (and pose an interesting challenge on how deep enterprises want to/need to work with and disclose information to government entities).
- Extending the Ecosystem (and the risk): Economic business models are increasingly putting enterprises at risk as they extend their “digital” ecosystems to include more diverse, and at risk, partners and providers. While it may take an ecosystem to properly meet the wave of consumerism enveloping the market, it only takes one weak link to trash a security system. Enterprises must include “digital risk” in their partner expansion process and insist on much greater levels of security awareness (if not outright participation).
- BYO Threat (Devices & IoT): Even after a decade of BYOD (bring your own device) , most enterprises still do not have a solid handle on the resulting security issues. With the expected increase of personal IoT devices (often melding with the mobile world), the strategic challenge of mobile and IoT to the enterprise could be significant. Mobile/IoT security via “policy” alone is unlikely to lead to success if it does not embrace these devices and encourage dual enterprise/user security.
- Board-level Visibility (w/o Board-level Authority): Boards, investors, and even financial credit rating firms, have all turned their eyes to cyber security, recognizing it now needs to be viewed, and managed, as a corporate level risk (and opportunity). But while the interest is there, few security teams have the reporting structure or direct authority to be transformational at that level, or to engage directly with the key team members on policy and direction.
No enterprise is hack proof, and current experience shows us the traditional defensive “lock it down” approaches to cyber security just can’t handle the challenges faced today. Enterprises with aggressive, proactive “counter-attack” strategies are more likely to ultimately achieve higher levels of ecosystem security and brand/consumer trust.
We recommend enterprises:
- Take a proactive “attack” position with regard to cyber security, including ongoing adaptations in business and technology to increase the strength of their defensive systems.
- Ensure board-level participation in all aspects of digital risk, including empowering enterprise executives to engage at the board level to help shape overall corporate behavior and awareness.
- Focus on service providers (across all aspects of their business) that understand, and can implement, proactive and collaborative tactics for any engagement that involves digital assets.
