If 2014 was the “year of the breach,” 2015 was the “year of collateral damage.” Numerous attacks affected people who never dreamed they might be involved in—or identifiable from—a security breach. Both the Office of Personnel Management (OPM) and Ashley Madison breaches affected people who never had direct contact with either organization. Attacks on data are no longer about getting credit card information. Today, it can also be about getting the information needed to change someone’s life forever.
For its annual Cyber Risk Report, published earlier this month, HPE Security Research assessed the full security landscape in 2015 to identify the challenges and opportunities as well as the successes and gaps that are driving the industry forward. This report details the evolving nature of cyber crime and the developing legislation meant to curtail it. In addition to detailing the various techniques used by attackers, the report delves into what corporate security teams now face as they work to protect the enterprise against highly sophisticated attackers in a rapidly evolving digital landscape.
The findings for this year’s Cyber Risk Report are clear, actionable and critical to business leaders (not just CISOs) across organizations of every size and industry. Armed with the key findings and takeaways from this report, leaders can strategically plan for the increased threat of new attack vectors and vulnerabilities as mobile use expands, IoT increases its mainstream adoption and cloud becomes ubiquitous.
Here are the four takeaways most important to your business:
1. Debate continues over the connection between privacy and security
An unintended consequence of the “year of collateral damage” was the increased scrutiny of privacy issues and encryption. The U.S. Federal Government struggled to get its privacy house in order, even as the European Union and other entities pressed the accelerator on efforts to bring U.S. companies in line with norms overseas. With geopolitical situations darkening worldwide as the year closed, it seems as if privacy issues will struggle in 2016 to keep their rightful footing side by side with security efforts.
To help protect against both compromises and the collateral damage fallout that can occur, security must be built in—not just into the applications, but throughout the whole organization. A complete security and risk management solution must encompass the infrastructure, users, apps and data while still supporting business goals.
- What this means for business leaders: Cross-border agreements pose challenges for enterprises struggling to keep their systems secure and in compliance. Organizations must follow the changing legislative activity closely and maintain a flexible security approach.
2. Moving from “point fixes” to broad impact solutions
The enterprise security business apparently learned nothing about patching in the last year. As evidence, the most exploited bug from 2014 happened to be the most exploited bug in 2015 as well. This is a bug that is now over five years old. While vendors continue to produce security patches, they do little good if they are never installed.
And 2015 was a year overflowing with patches. Last year, both Microsoft and Adobe released a record number of security patches. While laudable, it remains unclear if this level of patching is sustainable or at what rate patches are being deployed by the enterprise. The sheer volume strains the resources of both the vendor developing the patch and the customer deploying it. One possible avenue for relief comes in the form of fixes with a broader scope than a single piece of bad code. Microsoft has made some headway with defensive measures that prevent classes of attacks. Vendors must invest in these broad, asymmetric fixes to knock out as many vulnerabilities as possible in one fell swoop.
- What this means for business leaders: The industry transition to this category patch model will be slow to develop. Until then, security teams must be more vigilant about applying patches at both the enterprise and individual user level to ensure protection from bugs that are well known and often exploited.
3. Attackers shift focus to the applications
The perimeter of the enterprise network is no longer where it once was. With today’s mobile devices and broad interconnectivity, the actual perimeter is in the pocket of every employee worldwide. Attackers realize this and have shifted their focus from servers and operating systems to applications.
- What this means for business leaders? Re-evaluate funding and focus. Security professionals must adjust their approach to fund protection of the application layer, defending not just the edge, but the interactions between users, applications and data regardless of location or device.
4. The monetization of malware is paramount for today’s attackers
Just as the marketplace grows for vulnerabilities and exploits, malware in 2015 took on a new focus: revenue generation. In today’s environment, malware needs to produce revenue, not just be disruptive. This has led to an increase in ATM-related malware, banking Trojans and ransomware. As more and more financial transactions occur online, criminals will continue to target these for profit. Put simply, if there is money to be made, there is money to be stolen.
- What this means for business leaders? The best protection against ransomware is a sound backup policy for all important files on the system.
The full HPE Cyber Risk Report covers these areas in detail and provides additional context for these and other topics.
So what does it all mean? A complete strategy to enhance the defense of the enterprise involves an integrated approach to security that is driven by business priorities and goals. Start with a single, comprehensive view of risk across the organization and focus on business-critical digital assets. Protecting all the data interactions between them will allow organizations to implement a proactive, pan-enterprise strategy for security and risk management.
While the threat of cyber attack is unlikely to go away, thoughtful planning can continue to increase both the physical and intellectual price an attacker must pay to exploit an enterprise. Start by using the information in the 2016 Cyber Risk Report to better understand the threat landscape, and to best deploy enterprise resources to minimize security risk.
For more information on how HPE can help your organization implement a successful security program, fix gaps in your environment or aid in recovery from a breach, visit HPE Security Research.
HPE draws on decades of enterprise security experience to help businesses identify and proactively counter cyber threats. For more information, download HPE’s third annual State of Security Operations whitepaper and 2016 Cyber Risk Report.