If you spend your life chasing the security “threat of the day,” you’re missing the point of solid IT security, warns Ian Trump. Instead, work out how to create a resilient business.
I get this question a lot: “What do businesses need to know about the latest security trends?” I work primarily with small and medium businesses (SMBs) and the IT providers that service them; so I’m going to channel my inner Jedi Knight and suggest: “These are not the trends you are looking for.”
Can the US Federal Emergency Management Agency (FEMA), which deals with disasters, give us an answer about what to focus on? I think it can.
FEMA suggests natural disasters and terrorism do not respect geographic boundaries; I would suggest cyber crime does not either. So, how does FEMA’s all-hazards approach answer the question about the latest security trends?
In short, FEMA admits disasters happen, bad guys win, and this is something businesses should be prepared for. Businesses need to understand that it’s not a matter of “if” a data breach will occur, it’s a matter of “when.”
Furthermore, FEMA admits it can’t prevent disasters – no one can – so no matter how sophisticated your business’ security is, preparing for disaster is essential. Businesses need to work to minimize the effects of disasters through the adoption of technologies that provide business resiliency.
This is the number-one trend businesses need to understand today, and moving forward in 2016.
Put succinctly: prepare to meet the bad guys inside your network; accept they will get into your network; and accept the damage that will happen. Focus your resources on ensuring that you can recover business operations – quickly and efficiently.
PwC and the UK government recently completed a survey of UK businesses that offers disturbing reading. Here are some of the key highlights from that report:
- 74% of small and medium-sized businesses reported they had suffered a data breach
- For small and medium-sized business, the average cost of the worst breach is between £75,000 and £310,800
- Attacks from outsiders have become a greater threat for both small and large businesses
- 30% of small business suffered staff-related breaches
Given this bleak outlook, here is one security trend you should definitely avoid: Vendor-instilled fear, uncertainty and doubt. There is no magic solution to avoiding data breach, there is only survival. I maintain that for SMBs, a data breach can be an extinction-level event.
According to a recent global survey by Gemalto, nearly two-thirds (64%) of consumers surveyed worldwide said they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen.
On top of this, almost half (49%) had the same opinion when it came to data breaches where personal information was stolen.
I think the biggest point I am trying to make is this: focusing on one current trend, such as “ransomware” defenses (which is very much the fashionable option right now), misses the larger point of being a resilient business. It should not matter if the disaster is cyber-related or physical, your business needs an all-hazards approach to survival.
So, rather than speak to security trends, I will dispense some advice to business: prepare to be breached, focus on incident response and robust backups. If you are breached, have a lawyer and PR agency on speed-dial.
Oh, and one last thing about business security trends, especially for our American readers – there is a new street cop when it comes to cyber security enforcement, The Federal Trade Commission.
According to its own website, the FTC “promotes data security in the private sector through civil law enforcement; education; policy initiatives; and recommendations to Congress to enact legislation in this area.”
In the US, the FTC recently won judgments against ASUS, Wyndham and others for taking a cavalier attitude towards customer data security and ordered 20 years of compliance audits for both companies. Pray you don’t end up in their sights as a ransomware outbreak may be far less painful than 20 years of audits.
About the Author: Ian Trump, CD, CEH, CPM, BA is an ITIL certified Information Technology (IT) consultant with 20 years of experience in IT security and information technology. Ian’s broad experience on security integration projects, facilitating technological change and promoting security best practices have been embraced and endorsed by his industry peers. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Currently, Ian is the Security Lead at LogicNow working across all lines of business to define, create and execute security solutions to promote a safe, secure Internet for Small & Medium Business world-wide.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock