Hewlett Packard Enterprise’s Cyber Risk Report has identified the major dangers for enterprises and businesses in 2016.
The researchers studied the major developments in threats faced by enterprises in 2015 to find lessons for security professionals can use in the year ahead.
Perhaps the biggest surprise of the report is that so many of the problems are not new at all.
Even large companies are still failing to properly patch operating systems and keep anti-virus products up to date.
Tim Grievson, chief cyber and security strategist at HPE, said: “What’s surprising is how many our of top ten threats are the same as last year – the industry has learnt nothing from patching and the bad guys are still exploiting old holes, not just from last year but even older. Security professionals need to be better at patching but also the industry needs to improve. Vendors need to be clearer about patches and what they actually do. Users need to know all the consquences.”
Greivson said the move to mobile had exacerbated the problem – there were 100,000 Android vulnerabilities spotted in 2015. Grievson said there had also been an increase in attacks on Apple’s iOS and he expects the number of vulnerabilities on what was once seen as a secure operating system to increase.
Greivson said: “The perimeter has shifted now – you can’t just keep all your assets behind a big wall away from the bad guys. You need to focus on interactions between users, between users and data and between applications. It is not good enough to just try and secure the device any more.”
The old adage remains true: there are two types of organisations, those that have been hacked and those that don’t yet realise they’ve been hacked. The time intruders go undetected continues to increase.
While attackers in the old days just wanted to disrupt organisations and cause trouble malware today is all about the money.
Ransomware attacks are targeting both individuals and organisations. Typically they encrypt a device or dataset and demand money to decrypt it.
Often the ransom demands are not very great – but gangs carry out many attacks to make them financially worthwhile.
The other increasing financial risk from data loss comes from regulators. European rules can now fine a business up to four per cent of global turnover for data breaches. There are additional costs in terms of reputation and lost business due to bad publicity.
The changing regulatory environment is another area of concern for security professionals in the year ahead.
New European rules will require businesses to tell people their data has been hacked within 72 hours of the breach being discovered – a tall order for many large companies. Organisations working in different territories have the extra problem of ensuring they’re following relevant legislation every where data is stored or processed. For some companies, and some sensitive data, the best way around this might be keeping data in the country where it is created.
But Grievson warned: “Policies are good for setting a standard but they don’t make you more secure. There’s a risk that it becomes a box ticking exercise.”
Grievson’s main lesson for business is to assume they will be breached and to plan accodingly. Security systems need to disrupt the bad guys as much as possible.
Grievson said: “You need a cyber resilience plan not just a disaster recovery plan.
This means using encryption where appropriate and it means deploying intelligence systems to spot intruders.
But it also means planning for what to do when the worst does happen.”
Grievson likened this to the Fire Brigade – you don’t want them to practise during an actual fire or when you call them to tell them your office is burning down.
Businesses need to create a plan and practise it before any breach happens.
You should assume that a breach will happen at some point and then decide what you will try and recover and in what order. Make sure your technology will work across silos in a holistic fashion.
Any such plan should also include a communications plan – especially in the light of new European legislation which obligates companies to inform people who’s data has been put at risk.
Grievson added that his greatest fear as a CIO had always been the malicious insider.
He said: “My biggest fear was the unknown unknown – the insider threat. You know about bad guys outside but an insider who knows your procedures and how to avoid them can go unnoticed for far longer.”
The Cyber Risk Report described 2015 as ‘the year of collateral damage’ – examples like Ashley Madison showed that damage could spread beyond the individual institution which suffered a hack.
It warns that government action is likely to make IT security more difficult for enterprises in 2016. Researchers predict continued efforts to decouple security and privacy over the coming year.
There is some good news though – the report highlights the continued success of bug bounty and white markets for vulnerabilities. These allow companies to far more cost effectively test their software and their networks.
It also notes that the record number of point fixes for individual issues showed that industry is still keeping up with threats, but there remains a fear that this may not be sustainable in the longer term.
Researchers predict that enterprises will increasingly need to turn to proactive rather than reactive security solutions. These will require an investment in both technology and people because the number of data sources continues to grow.
The report warns that security professionals will need an ever more nuanced understanding of privacy issues. They will also need to respond asymetrically to future threats, use automated analysis to detect those threats and be part of community-based defence.
While the threat is not going to go away: “thoughtful planning can continue to increase both the physical and intellectual price an attacker must pay to successfully exploit an enterprise.”.
You can download the full report from here: