The old adage says: “keep your friends close, but your enemies closer”. In this day and age, the IT department of your organization does not have to worry about the second part. The enemies are already at the gates. And keeping them out is an increasingly challenging task.
A recent study sponsored by Juniper Networks showed that not only there has been a dramatic rise in the number of security breaches in the past year, but the targets also got bigger. The CIA, the FBI, the U.S. Senate, and various state police agencies had their systems under attack. In the first half of 2011 security and data breaches have cost U.S. enterprises almost $96 billion. At this rate the cost for the whole 2011 will be almost twice as much as it was in all of 2010. Consider the fact that 2010 saw 90% of businesses compromised with least one security breach. More than 50% of the compromised businesses had at least two breaches.
Another problem is that “the gates”, where the enemies are trying to get through, are everywhere now. The entry points are in the software employees use. They are in files, emails, web apps, web sites, databases, in everything that is on the information highway. The number of incidents related to malware went up from 4 million in the first quarter of 2010 to 6 million in the first quarter of 2011. It is expected that last year’s record $63 billion that companies spent on security will be $75.6 billion in 2011. As the study showed, the enemies get smarter and the attacks get more complicated in every year. Throw all your defenses up, get every firewall ready, the host and network intrusion protection and detection system, anti-virus, anti-malware, application firewalls and it will still be not enough, because the enemies are a step ahead. The solution? “Know yourself and know your enemy” (Sun Zhu, “Art of War”). Get the right security talent on board and use the right strategy.
The correct strategy, rooted in the governance, risk management and compliance methodology can go a long way. Consider the governance, a system by which an organizations controls and directs security development, as a backbone of the approach to managing security and how it relates to the business. (http://www.cert.org/governance/ges.html). Then, focus on the compliance and regulations, a key to proactive defenses and enforced regulations of a company’s behavior as it pertains to security for a specific nature of the business. Governance is strategic, while compliance is tactical and specific. Addressing compliance and security regulations allows business to focus on particular challenges and vulnerabilities specific to the business type and the vertical it operates in. Finally, adjust risk management, a set of technologies that address day-to-day security work, and includes mature components of security such as penetration testing, application security analysis, firewalls and intrusion prevention systems. The success of the security strategy depends on the attention to all three components.
The talent is a different thing. With the increase in the demand for the security experts, in response to the increased attacks, the security talent is becoming more expensive and harder to find. So far, the number of colledge students with who focus on cyber-security has not been keeping up with the demand. There are even less opportunities in finding experienced security consultants who are up to par with the criminal masterminds of the security underground. Security may be on the radar for around 1.9 million people, but there are only around 346,000 fully dedicated security professionals.
There are, however, security consulting firms, like Prolifics Security Practice (http://www.prolifics.com/business-solutions-security.htm) that can help you both with the talent and the strategy. They bring the best and the brightest security personnel on site to analyze, architect, develop and implement proper defenses and policies to address modern security threats. They help set up proper strategy, so you protect the flanks, tie up the loose ends and govern smartly.
With the increasing number and the caliber of the security breaches you can not afford to sit around and wait. Find what others are doing, go to conferences, ask consultants, bring help, but do something, because enemies are at the gate.
If you want to read more on the recent rise of the cyber attacks look here: http://articles.latimes.com/2011/jul/05/business/la-fi-hacking-security-20110705