Are enterprises more or less secure than 5 years ago? That’s the big question of the moment, especially with ongoing revelations about state-sponsored hacking, as well as an unending stream of reports about customer and employee data being compromised by even the most seemingly security-conscious organizations. Awareness of data security is running at a fever pitch at the highest levels of government and business organizations. There have been plenty of technology advances, and awareness has grown. Still, the wave of breaches and threats never seems to abate, and likely never will.
Technology advancements are both the cause and the cure for data security breaches. “As organizations move to a hybrid architecture with systems on-premises, in the cloud, with mobile devices, and third-party service providers, the possibilities for breaches increase exponentially,” said Alyssa Johnson, president of the OAUG. “Furthermore, the business side of the organization has been allocated budget and ownership of applications which bolt on to ERP—often with little knowledge from the IT department.”
Technology fixes alone will not help address the looming threats organizations face. Most business leaders rely too heavily on IT to solve their cybersecurity risks, said David King, senior manager in UHY LLP’s Internal Audit, Risk, and Controls practice. “Though there have been significant advancements in perimeter protection—such as intrusion protection and prevention technologies—enterprises are significantly less secure than they were 5 years ago.”
Then, add to this mix the emerging challenges posed by mobile computing
and the Internet of Things (IoT), which enable “cybercriminals to more easily extend their reach than they could just a few years ago,” Joe Levy, CTO at Sophos, pointed out. “So many low-cost IoT devices contain outdated code based on poorly maintained operating systems and applications with well-known vulnerabilities.”
Frequently, so-called “smart devices” are “fire-and-forget in their simplicity, or have built-in features and tools we may not even know are there,” added Sam Elliott, director of security product management at Bomgar. “Companies may not be able to easily account for ownership or origin once a breach happens. Who is responsible for securing, maintaining, and patching the various technologies? Worse yet, has a product been connected that can’t even be patched? A number of IoT devices are often overlooked because they fall outside of IT’s traditional purview.”
This creates an “expanded attack surface that enterprises must now defend,” said Rob Sadowski, of RSA, a Dell Technologies company. “The modern IT infrastructure, driven by cloud-based applications and infrastructure, mobile users and platforms, and many more third parties with access to the enterprise and its sensitive data, all make security much more complicated.”
Matt Little, VP of product development at PKWARE, agreed that today’s enterprises must contend with a new generation of internal threats. “Even in the absence of spies or saboteurs outside of the organization, the complex system architecture of a typical enterprise, when combined with inadequate employee security training, creates almost limitless opportunities for critical information to be compromised by an insider threat.”
It’s an ongoing game of one-upmanship that keeps getting played between organizations and hackers. “As organizations have learned how to better secure themselves, adversaries have had to get craftier,” added Stu Bradley, vice president of cybersecurity solutions at SAS. “They’ll often procure the same security products the organization uses to test and hone their exploits, so they know how [the products] will perform once inside the organization’s network.”
Wolves in Sheep's Clothing?
While outside hackers get all the headlines and angst, insider abuse is just as much a threat, if not more so, experts agree. “Internal employees don’t have to break through firewalls to get to an organization’s data,” said Johnson. “They’re already in.”