Success in today’s fast-moving business world hinges on innovation — and data is its lifeblood. But data-driven innovation faces escalating risks from attacks types that are constantly evolving to uncover new vulnerabilities and ultimately, steal valuable data.
Staying ahead of cybercriminals requires continually adapting and growing security controls and practices. Many businesses, though, aren’t heeding cybersecurity’s growing warning signs. In its latest Cybersecurity Insights report, AT&T notes that 50% of organizations have not updated their security strategy in more than three years.
We asked security experts and practitioners for their thoughts on the biggest challenges to protecting enterprise data in the face of ever-evolving cyberattack capabilities, and three themes surfaced.
1. Employees: Often the weakest link
All too often, cybercriminals can sidestep an organization’s security barriers through cleverly designed social engineering schemes. And these employee-targeted attacks are only growing in their effectiveness and intensity. In its report, AT&T states that its network detects and blocks more than 400 million spam messages daily.
“The greatest challenge to enterprise security is the threat posed by social engineering attacks aimed at the enterprise's employees,” says Steve Gibson (@sggrc), president and CEO of Gibson Research Corp. “One mistake made by a well-meaning employee lured into clicking on a malicious link is all that's required to collapse an organization's otherwise bulletproof security.”
Robert Siciliano (@RobertSiciliano), CEO of IDTheftSecurity.com, agrees. “Without question the biggest challenge companies are facing is human hacking,” he says. “An organization can have the most robust technology to protect their infrastructure, but a Trojan horse in the form of a phishing email or a phone call could compromise any and all systems.”
Given that employees are often the weakest link, awareness training must be a cornerstone of cybersecurity preparedness. “Security awareness training in the form of phishing simulation is one of the best ways to tighten up and prevent breaches,” says Siciliano. But, he cautions, this approach is flawed and shouldn’t be seen as a solution for all security issues within the enterprise.
“Educating users around the nearly limitless number of attack vectors is rapidly losing the race with hacker innovations and motivations,” says Adam Stein (@apstein2), principal at APS Marketing. “Building an enterprise security lifecycle that encompasses real-time security risk identification, intelligent machine learning capable notifications and an AI-savvy remediation engine remains a distant holy grail."
Ultimately, data security is the responsibility of everyone in the organization. “The executive level down must collaborate to protect a business’ sensitive information for the health and longevity of the company,” says Kevin Cunningham, president and co-founder of SailPoint. “It falls to the management and employees to ensure that protecting sensitive information is of the utmost importance.”
That’s the aim of cybersecurity awareness training. “The best technical security is easily defeated by a person who fails to recognize a threat or take basic steps to prevent or deter the breach,” says Ron Woerner (@RonW123), professor at Bellevue University.
2. Security strategy trails technology
Organizations once relied on static security perimeters to protect their valuable information stored in onsite data centers. But with a growing reliance on mobile and IoT devices as well as new threat types, that’s no longer a viable strategy. Organizations need a more holistic approach to cybersecurity.
“The biggest security challenge facing large organizations is that they’re not moving quickly enough toward a risk-based view of their environment,” says Ed Bellis (@ebellis), founder and CTO of Kenna.
Focusing on perimeter security still leaves enterprise vulnerable to insider threats, according to Scott Schober (@ScottBVS), author of Hacked Again. “Effective data security must utilize end-to-end encryption solutions for endpoint devices, databases, networks and applications,” he says.
Data is further jeopardized by a lack of controls over who sees and grabs the organization’s crown jewels. “Limiting who accesses and extracts data can typically only be done with administrative privileges,” says Morey Haber (@MoreyHaber), vice president of technology at BeyondTrust. “Monitoring all privileged session activity down to the keystroke is also justified by privileged-escalation vulnerabilities that can access data in bulk.”
For Marco Comastri (@marcoco), president and general manager of CA Technologies EMEA, “the No. 1 challenge to protecting consumer and enterprise data is tying a human to a device.” Access controls also provide an additional benefit of enabling a more seamless and personalized experience for the employee.
Overall, an effective security strategy is a balancing act. “If it becomes too difficult for employees to access data, they will find alternative and frequently less secure methods for obtaining the information needed to get the job done,”says Ed Featherston (@efeatherston), vice president principal architect at Cloud Technology Partners.
Often small-to-medium size business don’t have the in-house skill set needed to protect themselves, says Cindy Jutras (@ERP_cindyjutras), president of Mint Jutras. “The biggest mistake they make is in thinking an internal on-premise solution is safer than a SaaS solution,” she says. “In fact SaaS solutions are more secure simply because the SaaS solution provider has security experts on board. They must in order to protect their livelihood.”
While accounting for new threats, organizations also need to double-down on traditional security practices. “New cyberthreats and zero-day vulnerabilities make headlines, but for most organizations the challenge is the management of technical debt,” says Christopher Petersen (@CPetersen_CS), IT consultant at Crystallized Software. “Patching the latest operating system to meet the latest threat is 'easy,' but the difficulty scales with every day that any component is allowed to drift.”
3. Inadequate engagement prevails
Committing to cybersecurity innovation ensures that organizations remain flexible in the face of bad actors’ ever-evolving attacks. Securing data isn’t a once and done event. “Data security must be constantly examined, evaluated and modified, ”says Featherston. “Hackers are running a very agile process with one goal and one goal only — to get your data.”
Organizations must guard against fatigue that can set in from the need to be constantly attuned to new threats. “Defenders can suffer from burnout, losing some of their creativity and drive. Similarly, end users can go numb to cybersecurity alerts and awareness reminders, ignoring reminders or assuming they already know what to do,”says Eric Vanderburg (@evanderburg), security and technology consultant and author. His suggested solution includes celebrating cybersecurity wins, emphasizing the importance of consistency, and encouraging cybersecurity teams and employees to maintain their combat readiness.
Increasingly, third-party consultants are seen as a vital part of an organization’s overall security mix. Cloud vendors serve as a prime example for Daren Glensiter (@DarenGlenister), CTO of Synchronoss. “Companies must now go the extra mile and make sure their cloud vendors can pass an audit of the new cybersecurity regulations,” says Glenister. “If not, this can pose a significant threat to the enterprise, as noncompliance runs the increased risk of a cyberattack and exposure of personally identifiable information.”
While cybersecurity’s evolution is powering business innovations throughout the world, it is also creating ever-greater vulnerabilities for cyberattack. To protect valuable data, organizations must overcome these challenges with the help of innovative technologies and methods to identify threats today and tomorrow.
Carin Hughes is an editor of the AT&T Cybersecurity Insights reports.