Enterprises “need to shift toward adopting a cyber-resilience strategy to better protect their businesses, data, and employees,” said Matthew Gardiner, cybersecurity strategist at Mimecast. “Threats don’t just purely come from the outside. To put it simply, firewalls and endpoint protection aren’t enough anymore and haven’t been for some time. A cyberresilience strategy focuses not just on combating attacks but on ensuring continuity during an attack and providing fast recovery after a threat is detected.”
To combat data security threats, organizations often put too much emphasis on building higher walls and moats around their systems, but do not pay enough attention to what goes on inside. “Enterprises often overemphasize protection at the expense of detection,” said Bradley. “They rely on the outdated notion that building a higher wall or deeper moat is enough to stop the adversary. Recent breaches have proven that’s not the case. Organizations are finally starting to realize they must shift focus to detection.”
Elliott agreed that there is too much focus and money going to prevention, which may simply be a lost cause. “Prevention is dead,” he said. Instead, executives need to look at “privilege and applying greater security to the systems, applications, and data that are most critical to their business. In 2017, we’ll see more enterprises get serious about security around their most privileged users—identifying them, monitoring their access, and closing off access to what they don’t need.”
The lesson is that “history has shown that no wall is ever high enough—hackers will always find a way in,” said Little. “Attempting to mitigate cybersecurity risks with additional layers of network security means spending money in the wrong place. Instead, adopt a different strategy and begin encrypting their sensitive information at the data level. That’s the only way to truly protect against cyberattacks.”
Addresssing the Problem
So what can enterprises do to manage or even eradicate this risk? A multi-layered approach is needed, starting with the fundamentals of locking down their systems. “Organizations first need to ensure they’ve handled ‘low-hanging fruit’ such as proper account configuration and ensuring security is enabled,” said MarkLogic’s Pasqua. “Yes, these mistakes still happen. Just do a web search on data breaches to see how common it is. After they’ve handled that, they need to think about the bigger picture.”
Investing in the right people and training to help handle security issues is also key to the process. “Hire the right experienced people to implement the strategy,” Coty advised. “Make sure you have seasoned reverse engineers that are building the security content to make your strategy deliver the desired security outcome.” Bring in the database administrator, who is perhaps the most valuable component of any security strategy, as well. “A lot of DBA roles focus on protecting data,” said Bradley. “It’s critical they engage with the security team on overall security strategy.”
End-user education is the best bet in data security, experts agree. “The numbers consistently show that many data breaches originate inside organizations, often stemming from something like an employee falling victim to a phishing scheme that introduces malware on the network, or accidental end-user errors that stem from an inadequate understanding of potential security threats,” said Destiny Bertucci, head geek at SolarWinds. “Of course, most end users don’t want or mean to cause problems; they just don’t always understand what they’re doing and how one action today can cause trouble in the future. As more and more end-user devices get added to corporate networks through workplace trends like BYOD, BYOA, and IoT, it’s in every company’s best interest to properly educate their end users about the impact new devices like wearables or mobile devices connected to the corporate network can have on overall security,” Bertucci said.