“The first line of defense should be technologies and policies that help to prevent infections from happening in the first place,” said Gardiner. “Right behind those controls should be technologies and processes that accelerate the organization’s ability to detect and respond to threats that will inevitably get through. It’s important that employees be educated so that they can increasingly be part of the security solution as opposed to primarily being vulnerabilities that are easily exploited. Security awareness training should be an integral part of every organization’s security defense plan.”
Technology that addresses preventing, blocking, and mitigating application layers is advancing, according to James E. Lee, executive vice president and CMO of Waratek, Inc. “For any new technology to keep pace with the volume of attacks, though, enterprises need to accelerate their evaluation and deployment schedules. Today, those are measured in quarters and sometimes years. That cycle needs to be faster or the bad guys will simply need to keep doing what they are doing to continue to stay ahead of security best practices.”
Machine learning and artificial intelligence are areas on the horizon that hold promise for addressing security issues. “The industry is getting close to having a solution that works,” Levy reported. “But right now there are too many false positives and unprotected attack vectors to be considered a wholesale replacement. This is a space to watch this year.”
An area that is progressing rapidly is cloud security, related Daniel Logan, director of enterprise and security architecture at Tata Consultancy Services. “Cloud hosting vendors have been making fast progress on creating an ecosystem of tools to manage configurations, patch software and operating systems, and enable proactive detection and response to emerging threats through automation. This automation is leading to shorter reaction times and thus narrowing the window of opportunity for threat actors.”
Data security responsibility doesn’t stop just because applications and systems are turned over to a cloud provider, either. “Don’t ever hand over the encryption keys to corporate data security and privacy to anyone,” said Jim Crook, senior product marketing manager for CTERA. “Cloud providers are not responsible for your data—you are. Invest in a system that allows you to apply your corporate policies and meet critical business needs for data governance, security, integrity, sovereignty, and compliance.”
Little implores enterprise leaders to “recognize that their organizations’ data is exposed in unprecedented ways. In order to maintain control in a cloud-based, mobile environment, companies should implement a data discovery and classification process that identifies and tags sensitive information, and deploy persistent data encryption to ensure information will be unusable even in the event of a data breach,” he said.
As with standard disaster recovery planning, hoping for the best, but preparing for the worst is a good policy to follow, experts also advise. “Have an appropriate response plan in place,” said Bradley. “Should an incident occur, a well-prepared organization can fall back on its business continuity plan. That involves having alternative operating systems at the ready along with back-up data it can restore fairly immediately. Such preparedness offers a level of protection and makes the actual value of the breach less significant.”
Finally, the roles and responsibilities for data security also need to be elevated, even as high as the boardroom. “You need to create a culture of security from the top down,” Bradley advised. “Security used to be considered an IT problem, but given today’s threat landscape, security needs to be seen as every employee’s responsibility—and that message and tone needs to be set in the C-suite.”
Business leaders need to “pursue a whole new way of thinking, and adopt a business-driven security that connects security risk and business risk,” agreed Sadowski. “They should prioritize information assets and understand their vulnerabilities, quantify business risk and impact if those assets were compromised, and build a strategy to defend those assets with clear cost/benefit relationships outlined, and ensure the strategy is holistic.”