IT security must continue to evolve in order to survive and thrive. According to a survey by the Technology Association of Iowa’s CISO Roundtable, who reported findings at the 2019 Iowa Tech Summit, the average time CISO’s last in their jobs is only a mere three years. Industry research suggests that the average CISO tenure is only about 24 to 48 months, with many packing their bags even sooner.
Whether the reason for leaving was being highly recruited or taking the fall for the latest data breach, we can all agree, staying in this leadership position is typically short-lived and highly competitive. Often times, what it takes to get into the CISO seat is not all it takes to continue sitting in it.
Information security as we know it is changing, as it always has. Making a commitment to a CISO and as a CISO is crucial to survive. Some of the gradual changes we have seen in information security in the past decade have been instances of bring your own device (BYOD), but the major change really started as the average person began to adopt smart technology around 2007.
As a result of these changes, corporate IT security policies and budgets have and continue to develop. Other major changes to security will continue to happen, so businesses must shift from controlling how employees and customers use hard physical assets like computers and networks, to how they interact with soft organizational assets, like data. Here are some tips on what to expect with the future of IT security and how to not only survive it, but overcome and thrive.
The Future of IT Security
The number of IT systems, cloud services, and connected devices available is always increasing. It is now believed that the number of connected systems in particular will explode in the upcoming years. All of these devices generate large volumes of information called big data, which must be protected in some way.
Not all information collected is equally sensitive from a confidentiality perspective. Although, businesses rely on data being accurate and remaining unaltered. Businesses also rely on their data remaining untraceable and knowing the information is coming from the specified source. So, while not all information is confidential, all data must be protected in order to be useful.
Staying ahead of threats and continually reviewing and updating your business’s security IT practices is imperative to survive the future of IT.
Today, rather than having a single network to secure, most organizations now own and manage a variety of environments, including physical networks, private cloud and virtual SD-WAN environments, multiple cloud environments, an expanding WAN edge, IT/OT convergence, and an increasingly mobile workforce. It is important to know what threats those environments face.
Fortinet recently released a report on the Global Threat Landscape, which predicts IT security threats that we will face.
Ransomware is Becoming more Targeted than Ever
According to the report by Fortinet, their latest data suggests that threat actors continue to move away from unselective ransomware attacks to more targeted and potentially more lucrative campaigns. Multiple targeted attacks were reported in Q1 2019.
Like most other ransomware, the main goal is to encrypt as many files as possible on the victim’s system. It then does a pretty thorough job of preventing file restoration by overwriting volume shadow copies a total of 10 times in quick succession.
Fortinet’s takeaway was that ransomware attacks continue to decline in number, but remain a powerful threat to enterprise security. Patching and backups continue to be no-brainers against commodity ransomware, but more tailored and targeted threats require more tailored and targeted defenses.
Attackers Target Content Management Systems
Social media continues to boom, driving the need to make the creation of social-savvy websites easy for the masses. Content management systems (CMS) like WordPress, and various development frameworks like ThinkPHP have sprung up to meet that demand. Cyber hackers have, in turn, taken advantage of what has become a regular drumbeat of vulnerabilities affecting these tools.
Proof-of-concept code for this particular ThinkPHP exploit was released in December 2018, and attacks started almost immediately thereafter.
Fortinet’s takeaway is that ThinkPHP’s rise in popularity is yet another example of attackers swarming to take advantage of even lesser-known technologies to accomplish their goals on a global scale. It is good to remember that we set ourselves up to become exposed when we do not collectively practice sound security practices for the greater good.
Security Changes That Can Help
Changes to the look and feel of security programs are needed to help survive these emerging threats. As we prepare to face the future threat landscape, it is extremely important that security professionals familiarize themselves with these security changes.
As we prepare to face 2019’s threat landscape, I think it is extremely important that security professionals familiarize themselves with the following four security best practices in particular.
They also need to be aware of the key challenges facing their specific industry, as well as, the best way for organizations to successfully implement those practices.
1. Protect the Operating Systems and all Devices Connecting to the Network
One best practice for protecting your operating systems, regardless of what type of units they are, is a corporate antivirus solution that is setup for a forced install on every system. Your organization can force the system to install and update every time someone logins in or every time it connects to the network.
This is important for remote access users and bring your own device (BYOD), as you have no control over what network they are connected to, or what they bring into the company. This can be a visible reminder to your users that the Information Technology department is working to protect the company.
2. Find a Colocation Facility Equipped with World-Class Security
Security, compliance, redundancy, and connectivity have become the critical criteria for evaluating data center colocation facilities. Investing in a colocation partner will ensure that your critical infrastructure is protected by the strongest physical security features available.
Some security features to look for in a colocation provider include:
- Our data centers use multiple power entries in ring configuration, uninterrupted power supplies, and onsite diesel-powered generators
- Redundant cooling systems are implemented and monitored in each of our data center facilities
- All facilities are accessed and controlled 24/7/365 by closed-circuit TV, dual door man-trap entrance, pass card security, and biometric access points
- All of the LightEdge data center facilities and equipment are monitored by expert Network Operations Center (NOC) staff 24/7/365
- We use redundant power and cooling, geographically diverse central offices, and multiple data network carrier access
- We use best-in-class networking equipment and have partnered with top providers to ensure the utmost in data center connectivity
3. Invest in People and Policies
Many security professionals think that the best way to effectively mitigate digital security challenges is to decrease reliance on people by employing machine learning or other forms of AI. Doing so would put their organization at a serious disadvantage. Organizations must pay attention to the people, processes, and technology to have a well-rounded digital security program.
Start by reviewing your current employee training plan. There are two levels of training that any good plan should encompass. The first is general training, aimed at all employees or business associates with system access. General training should include basics like how to identify and avoid phishing attempts and forms of social engineering, what to do when the employees think they may have been targeted, and what the impact of a data breach will be.
The second level of training is group-specific training, which targets specific areas of responsibility. You must implement this higher-level training. IT administrators have different concerns than developers, but they are closer to each other than your average user with ID and password who only can access or change data.
Your HR department or your internal trainers can manage a comprehensive training plan. If your business does not have internal training, there are several security training companies that provide comprehensive services tailored to fit different needs. LightEdge recommends one that not only educates, but tests to ensure employee understanding of the material and concepts covered and generates reports to ensure the impact of your training dollars.
No matter how you approach it, training is an essential part of the compliance and security process. The stakes are very high if you cannot document the fact that your employees have received appropriate training as part of your organization’s compliance efforts. Awareness is the key to making sure your employees have some defense against external attacks that lead to breaches.
4. Work with Vendors Who Prioritize Security
Third-party vendors that do not prioritize security practices can put your organization at risk. When outsourcing any service, get a full security background check on their practices to ensure they align with yours.
Retail giant Target had to pay an $18.5 million multistate settlement, the largest ever for a data breach during its time, to resolve state investigations of the 2013 cyber attack that affected more than 41 million of the company’s customer payment card accounts.
The states’ investigation of the breach determined that cyberattackers gained access to Target’s computer gateway served through credentials stolen from a third-party vendor in November of 2013.
“Companies across sectors should be taking their data security policies and procedures seriously. Not doing so, potentially exposes sensitive client and consumer information to hackers,” said a statement issued by Connecticut Attorney General George Jepsen, who led the investigation along with Illinois counterpart Lisa Madigan.
Other breaches that occurred as a result of vendors lacking secure practices includes Universal Music Group, Applebee’s, Best Buy, Sears, and Delta. A Universal Music Group vendor left data exposed when they failed to protect an Apache Airflow server. Everything in UMG’s cloud data storage, provided by a contractor, was exposed to the open internet.
LightEdge Understand the Future of IT Security
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
LightEdge’s highly trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
From a dedicated physical infrastructure to a virtual delivery model, we’ve got the compliant cloud and hosting solution for your organization. Retain the level of control you want, and the amount of data isolation you require.
With geographically dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.
- 7 Steps For Ensuring HIPAA Compliance For Your Business
- What Is Disaster Recovery As A Service (DRaaS)?
- How To Determine If Your Business Is PCI Compliant
- Seven Common E-Commerce PCI Compliance Myths Explained
- What is Bare Metal Cloud?
- What All Healthcare Companies Need To Know About HIPAA Compliance
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment