With sophisticated hackers, compliance regulations and security tools that fail, security departments are undeniably overwhelmed with data security. And that’s just the data security part of what they do.
Charged with developing an IT infrastructure and keeping it safe at the same time is a recipe for burnout, especially when IT budgets are too small and good help is hard to find.
The following identifies six key reasons that IT departments are challenged to keep pace with the rigorous demands of securing data:
Management teams don’t receive data security metrics
Executive level managers are frequently susceptible to the “it can’t happen to us” syndrome. This is often due to the lack of business-relevant security metrics they receive. When IT requests funds for improved security controls, they tend to talk in bits, bytes and packets rather than in terms of business risk, which is a language data security executives understand well.
The IT staff are frequently challenged to demonstrate how increasing data security will impact the bottom line, so the answer is too often a “no.” Until management teams understand the risk to each area of the business if an incident occurs (and IT learns how to build a business case to communicate this) data security will continue to be viewed as an isolated IT policing function.
Projects launch data security too soon
For companies that develop and market software, embedding security controls is often poorly executed; too often security is “sprinkled on at the end rather than baked in from the beginning.”
Market pressures result in new software launching prematurely, and data security patches are issued over the ensuing years. Paying customers then become the quality assurance testers, and all of the customers that have these new software products installed are at risk. Even less protected are internally developed applications (e.g. web/customer portals, intranets or HR databases), where data security is frequently a fleeting consideration—if it is considered at all.
Data Security threats are more sophisticated
In the early days, hackers tended to work alone. They were brilliant (if misguided) techies who wanted to show the world what they could do. Now, cybercrime is a rapidly growing industry, funded by organized crime rings and foreign intelligence services that are constantly devising improved methods of attack. IBM recently reported that the cost of a data breach for a business is on average $3.62 million making data security more of a risk than ever before.
Interestingly, the lowest hanging fruit for these nefarious groups is the human element. Some data security attacks are socially engineered to target a single person and his or her workstation.
Cyber criminals invest tremendous resources in figuring out how to make a fake email look real so they can deliver a hyperlink or weaponized PDF or Word document, thereby planting seeds throughout an entire organization. Sophisticated thieves have begun using disinformation tactics to deflect the source of an attack by altering their keyboard layout or using a language pack that leads investigators down a false trail—often off by half of a continent or so.
Some foreign intelligence services have also been known to recruit criminals to act as mercenaries—independent black hat attackers that are extremely difficult to trace.
Bring Your Own Device (BYOD) is here to stay
Gone are the days when companies distributed a single brand of laptops and 1000 Blackberries to their employees. Now, executives prefer to use their own stuff: iPads, Androids, MacBooks etc. People are ‘on’ 24/7, checking emails at a child’s soccer game or a family picnic. The flip-side is that kids are often downloading apps and texting friends on these same devices. This might be great for employees, but it’s not great for your business’ data security plan and can make devices hard to keep in check.
Most companies institute centralized security controls that protect company data when employees log in, but it’s not always failsafe. As of now, mobile devices are not major targets of cyber thieves, but we expect more malicious mobile software on the horizon. BYOD creates a significant challenge for most data security teams.
There is a significant shortage of skilled IT talent
Cybersecurity is still a relatively new discipline. Larger companies started implementing security programs in the mid-to-late 90’s, and colleges didn’t start offering data security as a core curriculum until roughly ten years ago. Most companies still aren’t aware of the benefits of using a managed security service to aid their businesses data security.
There simply aren’t enough students and trainees in the pipeline to meet the demands of an increasingly sophisticated threat environment. On top of that, many companies have not prioritized data security; hiring in-house expertise is expensive (because of the talent shortage) and most company security programs have insufficient budgets to begin with. Do the math on that, and it’s clear why many organizations aren’t properly equipped to prevent or even detect today’s attacks.
Employees lack education and training.
There’s no doubt that the human factor is the weakest link in any data security program. In general, people want to be helpful. When a so-called ‘John Smith’ in accounting calls the support desk to get his password reset, the person who receives the request wants to be of assistance.
Employees need to be trained to be cautious and suspicious, especially if those characteristics are not inherently in their nature. IT can deploy all of the latest technology defenses, only to have the program undermined by a single employee. One advantage of government compliance is that employees are required to take part in regular training.
However, many industries are not subject to this kind of data security compliance, so this responsibility goes unheeded in a significant number of organizations. And for those companies that are instituting some sort of training, it often comes in the form of a document to read or a (dry) video to watch, neither of which have much of a lasting impact.
All organizations are dealing with these six challenges in some form or fashion. However, utilizing a 24/7/365 managed security service can help combat these challenges and reduce the significant risk your organization may be facing.
Want to stay up-to-date on the latest security operation strategies? Follow us on LinkedIn and on Twitter at @getcybermaxx.