To better gauge how businesses today are arming themselves against cyber threats, and to what extent trusted third-party managed security services providers (MSSPs) play a role, UBM Tech surveyed 146 business technology managers in late 2013 about the solutions they are employing to mitigate their risks. Survey participants represent
a cross-section of industries, including banking, financial services and insurance; healthcare; retail and consumer packaged goods; and energy and utilities. Respondents hold a range of management roles, from CEO and CIO to directors and line-of-business managers. The majority work for enterprises that employ 1,000 or more people.
More than half of the participants work for companies with annual revenue of $1 billion or greater. The research shows businesses battling a wide range of cyber threats, with viruses, malware and botnet launched attacks
highest on their list of concerns. New business collaboration tools such as social media, and IT delivery models
such as cloud and mobility, are adding to the security challenge by introducing potential exposure points for corporate data. Businesses must rethink policies around safe use and their practices for protecting valuable and sensitive information from possible leaks.
A fast-evolving and increasingly virulent threat environment is raising the security stakes for businesses today.
This, combined with the highly distributed and more open nature of today’s enterprises, is testing even the best resourced corporations.
Security spending has significantly increased as security has shifted from being a non functional requirement to a business requirement. Business and technology innovations leading to the Internet of Everything and consumerization have brought security into focus.
In fact, 83 percent of businesses surveyed by UBM Tech plan to increase their security budgets in the next few
years. Credit the constant barrage of threats against vital corporate assets and consumer data and the high-profile breaches of 2013 and 2014, including those at Target, Neiman Marcus and Michaels Stores, for driving enterprises to tighten security controls and operations. A detailed analysis of these breaches has brought process weakness into the foreground, along with the need for defense-in-depth security controls.
This appreciation for the critical nature of security controls and enforcements is applicable across almost every industry. Traditional targets such as financial, retail and healthcare companies have evolved and are showing maturity in their security strategies, while newer targets, including manufacturing, utilities, electronics and natural resources, are under high alert because of “hacktivism” and terrorist activities. Hackers are perpetrating intelligent attacks, morphing threat agents and initiating stealth attacks that take advantage of weak controls and process gaps to slip past corporate controls.
Organizations in all sectors are introducing new systems and technologies into their security landscape, including BYOD.
Adding to the woes of security officers are the changing regulatory requirements that make it more complex to secure the business. Key challenges include creating the required awareness and building a team of security architects and data scientists to safeguard the business with intelligence.
The Best Defense
“Defense in depth,” or security at each layer spanning processes, technology, transactions and people, is what
every sector is focusing on. Gone are the days where security was confined to the perimeter and point solutions. New-age businesses run using intelligence, emotions, patterns and profiles, which drives security toward convergence, analytics and posture. Asked what top security issues contributed to breaches at their enterprises, survey respondents put viruses, malware and botnet attacks at the top of their threat list (see figure 1).
Phishing and spam can also derail productivity and potentially capture personal or highly sensitive information,
and two-thirds (66%) of those surveyed cited these among the top issues they face today. User error remains a major contributor to corporate insecurity, with 62 percent noting that often well-intentioned but poorly executed decisions can put critical information at risk. Weak passwords, easily hacked, can also make it easier for unauthorized users to access corporate resources.
The more extensible nature of enterprises also introduces new risks. An environment in which more external users, such as contractors, partners and guests, are able to tap into data they’re not actually authorized to access can pose a major threat to the security and stability of an organization.
In late 2013, UBM Tech conducted an online survey on behalf of Wipro on the State of Cybersecurity in the Digital Economy: Balancing Accessibility with Effective Risk Management.
A total of 146 business technology management professionals completed the survey and make up the final data
set. The greatest possible margin of error for the total respondent base (N=146) is +/- 8 percentage points. UBM Tech was responsible for all programming and data analysis. These procedures were carried out in strict
accordance with standard market research practices.
The Systematic Approach
So how are organizations defending their critical information in the current context of unpredictable threats while addressing changing business, technology and regulatory needs? The simple answer is that businesses are taking
a systematic approach that focuses on user awareness, shredding the silos of technology and systems, as well as converging security systems for a unified view of posture and intelligence information. Organizations in all sectors are introducing new systems and technologies into their security landscape, including bring your own device (BYOD) for remote control and operational tasks; health-monitoring devices on home networks; and smart meters on
In this context, 85 percent of the respondents require users to secure mobile devices with a password. Approximately three-quarters — 77 percent — engage and keep users informed by communicating information
both about potential threats and about best practices with which to protect their assets.
Sixty-six percent of the respondents restrict application access to users operating corporate owned and -managed devices. Over half — 59 percent — enable external devices based on the role of the user. So, for example, while executives may be allowed relatively unfettered access to enterprise applications, sales staff may be required to
use only corporate-issued devices
Businesses are also focusing on resilience and situational awareness. These steps run the gamut from requiring users to access corporate resources via a virtual private network (VPN) and USB lockdown to encrypting hard drives and using a central “gold” OS image with a pre-defined program for adding or limiting access. Thirty-nine percent
of the participants perform security drills on a periodic basis to make sure the IT staff is prepared to mitigate the impact of an attack.