Don’t Be the Enterprise That Falls Behind in Security
No organization — large or small — is ever completely without risk from cyberattacks. But global enterprises face an especially daunting set of threats and potential attackers.
For one thing, enterprises employ lots of people, which means there is a greater possibility of an intrusion by existing or former employees. Many of these employees likely use mobile devices to access corporate networks and data, and to conduct business processes, further adding to the complexity of securing information.
Large companies also typically do business with many partners and customers around the world, so at any time there are countless online transactions and collaborations under way. And big companies in industries such as financial services and retail can be prime targets for hackers looking for financial gain or to gather personal information about customers or employees.
Many major data breaches in the past few years have come against large, internationally known companies, including Home Depot, Anthem, Sony Pictures Entertainment and Target.
The big cost of enterprise data breaches
These attacks resulted in the theft of millions of records as well as bad publicity and financial repercussions for the companies affected.
And the costs related to data breaches are on the rise. According to the 2015 Cost of Data Breach Study: Global Analysis, by IBM and Ponemon Institute, the average total cost of a data breach for the 350 participating companies worldwide increased 23% over the past two years to $3.79 million.
The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6%, rising from $145 in 2014 to $154 in 2015, the study says. The lowest cost per lost or stolen record is in the transportation industry ($121) and the public sector ($68). The retail industry’s average cost increased from $105 in 2014 to $165 in 2015.
Because the risk to high-value enterprise information is ever changing, it’s essential to constantly monitor the environment and understand who poses a threat, what their motivations are and what methods they prefer, notes Larry Ponemon, chairman and founder of Ponemon Institute.
Lost business is potentially the most severe financial consequence for an organization, Ponemon says. The growing awareness of identity theft and consumers’ concerns about the safety of their personal data following a breach has contributed to the increase in lost business.
On the bright side
The good news for enterprises is that, in most cases, they can afford to make large investments in security technologies and expertise. They can hire full-time Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) to head up their security operations, and they can staff their security programs with the best talent in the market.
The need for a consistent, comprehensive assessment
But, in order to really build a strong security strategy, enterprises need to first conduct a comprehensive assessment of their security posture to determine weaknesses, identify what needs to be protected and from whom, and balance solutions among people, procedures and technology.
Research firm Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization.
The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale. This enables reporting to a level of detail that can be adjusted for various audiences.
As Forrester noted in a January 2015 report, Understand The Business Impact And Cost Of A Breach, “We are in the midst of a golden age of hacking. The information security threat landscape is changing rapidly, and security organizations are struggling to keep up with the changing nature, complexity and scale of attacks. This dynamic landscape will not stabilize as security managers struggle to keep up and develop capabilities for handling new threats. The attacks of 2014 taught us that the threat landscape is rapidly mutating as attackers find ever more devious ways of bypassing security controls.”
It’s important to understand what technology you have and your security requirements, notes Duane Wheeler, senior practice architect, enterprise wireless, security and mobility, at Insight.
“This may seem simple, but as you drill down in scope, technology silos exist, and exploring your business and technology roadmap can become complex,” Wheeler says.
When to partner with a managed security services provider
In some cases, it makes sense for enterprises to hire a managed services provider (MSP) to help with assessments or the deployment of security technology and policies. But companies need to take the time and make the effort to find the best possible partners.
“Homework is required, but some basic questions should lay the groundwork in finding the right MSP,” says Ami Kron, director of sales at Insight. “What has the MSP done to ensure a secure environment; what risk assessment exercises have they undergone to identify vulnerabilities; and how often is this done?”
Another question is: can the MSP help meet the compliance requirements that apply to the customer’s business model, such as the Payment Card Industry Data Security Standard (PCI DSS 3.0)? PCI is a proprietary security standard for businesses that handle cardholder information for major credit, debit and other payment cards, so it applies to retailers and any other companies that deal with these payment methods.
Also, what is the MSPs remediation plan and how will it ensure its own business continuity in the event of a breech or incident? “There needs to be a clear outline of what the data loss prevention plan is,” Kron says. If a company intends to use MSPs for extending its workstations or worker enablement devices and software as part of its offerings, how will the edge devices be protected?
Insight offers security services to help enterprises bolster their security, Wheeler says. For example, one of its technology focus areas is around the Cisco Identify Services Engine (ISE). It has an ISE Readiness Assessment that contains key technical components such as business and technical use case review and development; wired, wireless and VPN architecture review and integration readiness; network architecture review; gap analysis and remediation planning and execution.
Get in touch with Insight at 1.800.INSIGHT. If you're still researching on your own, find answers to your pressing security questions and discover background information that will help you make a well-informed decision. Once you're ready, take the Forrester security assessment here.