Managing Digital Risk in 2017

All businesses today recognize the opportunities for digital transformation. Some of them are actually embarking on the opportunities to leverage new technologies to improve their business results. Instead of viewing Cybersecurity as a hindrance to innovation, businesses should embrace easily adoptive methods of lowering risk while increasing technological transformation.

It is well documented that data breaches damage businesses from both a reputational and financial viewpoint. No business leader in today’s climate can look in the mirror and not admit that Cyber-threats are a top priority. Delaying the implementation of counter-measures and avoiding the reality of the threat has resulted in government intervention.

New York state has just fired-up their first of a kind statutory regulation insisting that all financial services and insurance companies doing business in the state comply with a set of requirements that is far more expensive and resource consumptive to implement than if businesses had addressed the issue on their own two years ago.

The phrase “doing business” means for insurance companies that if they had sold policies for coverage on individuals or businesses residing in New York, then they qualify for compliance.

In the next few months we will see similar legislation in all of the remaining states. In addition, the European General Data Protection Regulation (GDPR) mandate will become effective in May of 2018, which will among things require that all enterprises doing business in Europe will provide notification of a breach within 72 hours of the event. This will undoubtedly cause a spike in the number of breaches now tracked and reported with a re-focus of international attention on the problem.

The bite is actually worse than the bark here because organizations will be fined up to 4% of global revenue or about $25 million (whichever is greater) following the reported breach if the Euro regulators determine that the organization did not take the necessary precautions to protect the data.

In other words, for every S&P 500 company the average revenue from doing business in Europe last year was 11% of their total revenue or $9+ billion. This means that every one of them qualifies for the maximum penalty of $37 million. I am sure that number is serious enough to get everyone’s attention.

In spite of all this, most organizations still rely on outdated methods of protection that focus too heavily on blocking and prevention mechanisms. These methods are decreasingly effective [being nice] against today’s advanced threats. To pretend that there is such a thing as impenetrable protection from modern sophisticated malware is pure folly. It has to change.

In anticipation of impending legislation and to take advantage of the opportunities in digital transformation, businesses must move to an adaptive security model where they can put preventive, detective and responsive security processes in every layer and develop policies and processes that address all of the exposures and threat vectors possible in their environment. There needs to be a mind-shift away from “incident response” and toward “continuous response.” In its simplest form, there are four stages in any adaptive security life cycle: preventive, detective, responsive and predictive.

Preventive security remains the first layer of defense. Perimeter defense technologies like next generation firewalls and end-point technologies raise the bar against today’s advanced hackers and are often successful at blocking all but the most sophisticated attacks. But most organizations put these in place and stop there, believing that they have done enough. They’re wrong. Modern perimeter defense technologies do not and cannot prevent network infections.  They are simply a barrier that makes it more difficult for an attacker to get through. Good but not enough.

Detective security must be in place so that successful perimeter attacks can be uncovered prior to a breach and the time that malware remains inside a network can be minimized and the resulting damage limited. This layer is critical, as it should be clear to anyone paying attention that modern malware has become polymorphic and metamorphic, changing in front of the very perimeter defense watch upon which traditional schemes had come to rely.  Without the network detective layer, the gap invites the kind of attack that succeeded at HBO.

Responsive security is retrospective in nature and provides an intelligent layer that learns from past attacks, turning them into future protection. Advanced machine learning algorithms analyze the holes and vulnerabilities exposed in prior attacks and readies your perimeter and network layers for specific preventive measures designed to identify similar incidents in the future.

This layer is also often part of the event management component of a holistic defense system and in addition to monitoring and adapting can also assist in creating automated real-time rules and processes to deal with spontaneous events as they occur. This way, metamorphing malware can be detected on the fly and eradicated before it has a chance to form into a breach.

Predictive security is an advanced layer that benefits from pattern recognition and artificial intelligence technologies that are now becoming embedded in modern holistic defense platforms. The objective is to combine and correlate as many disparate data points as possible including broad intelligence feeds from external threat networks, Internet sentiment and hacker underground channels to proactively anticipate new attack types. All of this data is then fed back into the preventive and detective layer, putting new protections in place against evolving threats as they’re discovered.

If businesses begin to accept the realities of an increasingly regulated Cybersecurity environment along with the advancement of contemporary threat mechanics, they should no longer wonder if or whether they have put in place sufficient processes and technologies to manage against these expanding threats. They will either figure it out themselves or be told by a government agency that they haven’t.

The good news is that the way out of the quagmire is known.

? Implementing a layered defense strategy as a business expands through the digital transformation journey will form a comprehensive, constant 360 degree protection shield at every stage in the life cycle of a security threat and satisfy even the most restrictive requirements of any compliance regulatory statute.