It’s no secret that cyber-security has moved into the mainstream of most organizations. As vectors and exposure points have increased, attack methods have become more sophisticated, data flows have become more connected and complex, threats have spiked and, in many cases, the resulting damage has been enormous.
“The landscape is changing dramatically,” states Kevin Richards, managing director, North America Security Practice and global lead for security, strategy and risk at Accenture Security.
To be sure, several trends are converging to create a far more dangerous cyber-security landscape. IT is rapidly moving into the cloud, the internet of things (IoT) is growing rapidly, and, as mobility becomes even more embedded and pervasive, third-party ecosystems are expanding. As a result, attack surfaces are growing exponentially, and software-defined everything means that bugs and coding flaws touch virtually every system and device.
The takeaway? A focus on improving the state of enterprise cyber-security is unavoidable, and constructing a more robust cyber-security framework with cyber-security best practices is an ongoing challenge.
At the same time, business and IT executives are being asked to do more with less money and fewer resources. Skills shortages abound, particularly in key areas of cyber-security.
“Organizations must have more than technology controls in place, and they must look beyond protecting a handful of key systems,” Richards emphasizes. “There’s a need for a multi-layered, defense-in-depth approach. “
Adds Chris O’Hara, principle in the Advisory Practice at PwC: “Traditional controls and approaches are more difficult to apply because perimeters have essentially disappeared. Security now touches every corner of the enterprise. It’s everyone’s business.”
Enterprise Cyber-Security Grows in Importance
Today, organizations face a dizzying array of cyber-threats, including malware, ransomware, phishing and social engineering, web-based attacks, malicious code, botnets, denial of service assaults, lost devices and activity resulting from malicious insiders.
According to the Ponemon Institute’s “2016 Cost of Cyber Crime Study & the Risk of Business Innovation” report, the challenge isn’t just identifying an attack, it’s containing it in a timely manner. If it takes less than 30 days to contain a cyber-attack, the cost to the organization averages about $7.7 million, based on the 237 organizations surveyed. If the event extends to more than 90 days, the price tag hits about $12.2 million. Downtime, business disruption or information loss can add to the pain.
Yet, the problem extends far beyond attack methods. Even with strong controls and excellent tools in place, an enterprise is vulnerable. Advanced persistent threats (APTs) that take months or years to unwind are commonplace. In many cases, stolen credentials allow an intruder to rummage through systems and files undetected because it doesn’t appear that anything illicit is taking place. In fact, the intruders may be using a legitimate ID and password.
“Most companies now struggle with the ability to differentiate legitimate traffic from a legitimate user and malicious traffic from what appears to be a legitimate user.” says Accenture Security’s Richards. “The nuances are incredibly challenging.”
In some instances, hackers and attackers may never reveal themselves. They simply copy data, listen to communications and watch traffic pass over the network. They may steal business secrets, unleash a spear-phishing or whaling attack, or look to glean personal information about employees or customers, which can be used to perpetuate identity theft or other crimes.
“They are frequently looking for ways to spot vulnerabilities, identify targets and monetize the information,” says Adam Malone, director of cyber incident security at PwC.