Call to Action: Pounding the Table for Security Budgets

The vicious cyberattacks on major organizations like Target, Home Depot, eBay, JP Morgan Chase and recently, Anthem, makes one thing clear: the severity and sophistication of cyberattacks has taken a major leap forward. Having thieves steal sensitive data such as credit card information or personal identities is extremely costly, both financially and to the brands’ reputation. Yet a new breed of attack has become public that should be cause for even greater concern. Foreign Nation states are waging cyber-warfare on companies or people that oppose their views.  While only representing about 10% of cyber-attacks, nation-state sponsored hacking is on the rise and the impact of a breach can be far more severe.

Consider these recent examples:

• In November 2014, we witnessed North Korea’s attack on Sony, which was successful in causing major disruption and costing the company millions in recovery costs. The cause? Plans to release a spoof film that made fun of North Korea.
• Similarly, Iran hacked into the Sands Casino chain in response to comments made by its owner, Sheldon Adelson. The Sands only saved itself from total IT meltdown by unplugging from the Internet entirely, but not before its North American network and sites were badly damaged. This rendered them paralyzed – unable to do online business, including booking hotel rooms, for many days.
• In Germany, a steel factory suffered massive damage after hackers accessed production networks, allowing them to interfere with the controls of a blast furnace. The result was massive physical damage to the plant.

Without a complete admission of guilt in any of these recent attacks, there are some that will argue that the blame may be misplaced in each of these cases, but so far the supporting evidence is fairly strong.  According to Hunton & Williams, a law firm that specializes in cybersecurity and privacy issues, there has been a “huge increase in the number of nation-state attackers who are seeking IP, blueprints, M&A data and R&D.”  The industries most often targeted are oil & gas, aerospace & defense, technology and telecommunications.

It’s time to wake up and recognize that while new innovation and the benefits of connectedness is extraordinary, they clearly comes with major risk if security measures aren’t taken more seriously and put on the top of the priority list. Legacy security solutions and their providers have been caught flat-footed and the “bad guys” have surged ahead in the arms race.  Way ahead.  Many companies believe they have “checked the security box” and are compliant.  Others feel overwhelmed and take the “head in the sand approach”.  In reality, almost all are extremely exposed.

To address this, a new breed of IT security focused startups has emerged, but their solutions are not yet broadly deployed, leaving gaping holes in most corporate networks.  Making things worse, we hear time and again from small, mid-sized and even some large organizations that they are understaffed and underfunded with regards to protecting their IT assets.

So what’s the solution? To survive in these times of rapidly changing technology and the vulnerabilities that they inherently create, organizations must increase spending on security.  While practically impossible to be 100% secure and extremely expensive to try and get close, the current level of exposure is untenable.  Capital has to be allocated to upgrade and replace legacy security systems that may meet out of date compliance check lists but don’t provide real security.  Training has to be performed to help folks understand that keeping the most sophisticated hackers out may be impossible, so we need to assume they are in and act accordingly.  New solutions that protect data via true encryption, whether internal or in the cloud, at rest or in motion, should be prioritized.  Rapid breach detection and mitigation is also critical as the pace of response is often closely correlated to the recovery cost.  Evaluate identify management systems that can closely track who has access to what data and what they are doing with it.

There are many new innovative solutions that greatly improve the level of security and how prepared a company is for an attack and potential breach.  Company leaders need to recognize the severity of these threats and the come to terms with flaws in their existing legacy systems.  It’s time to pound the board room table and demand more resources for modern IT security systems.