/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2014/11/Bryce-Boland.jpg)
Bryce Boland
As companies plan for 2015, it is an ideal time to look back at lessons learned in cyber security during 2014. This was a watershed year in our industry: organizations and consumers learned first-hand – over and over – that no one is exempt from attackers intent on stealing data.
While there are plenty of important lessons to be learned, I’d like to share my top five list with you:
1. Cyber security is now a public issue
In cyber security, 2014 will be remembered as the Year of the Data Breach. Not only were there many breaches, they made the headlines, cost businesses billions of dollars, and we started seeing Boards of Directors being held responsible for the business impacts. In December last year, Target was breached with over 110 million customer’s records stolen, and during the year we saw high profile breaches at numerous businesses – Snapchat, KB (Korean credit card agency), Orange, KT (Korea Telecom), eBay, Community Health Systems, Google, Home Depot, JP Morgan Chase, the list goes on and on. As I write this, Sony Entertainment has experienced a huge breach that has not only exposed records but also resulted in their business being seriously hampered by the attacks. In India, malware compromised computers launch more DDOS attacks than any other country, and Indian consumers have the 4th highest level of mobile malware in the world.
2. The offensive cyber security theater is expanding
No one was safe in 2014. From small businesses to traditionally secure financial institutions and government organizations around the world, sophisticated and well-funded attackers breached even the most secure organizations. In some ways it’s to be expected, as more commerce and business operations move online, more sophisticated attack groups will chase the opportunity to hack them for financial gain. Meanwhile, the geopolitical environment is impacting the threat landscape, as China-based attack groups continued to play a major role in hacking private, public and government business and personnel with the explicit goal of obtaining sensitive IP and financial information. We also saw well-funded attack groups in Eastern Europe and Russia step up their assault on financial and geopolitical targets around the world. The theater of global cyber attacks is expanding and more resources are being poured into offensive operations around the world.
3. Information is more valuable than money
Hackers still seek financial information but increasingly are attempting to steal patents and company intelligence. Entire businesses are built around a single piece of intellectual property without which they would cease to operate, and protecting that data is crucial. Companies need to reduce their alert-to-fix time to keep their business intact. Hackers based in Russia caused international damage with high-profile attacks on NATO and 420,000 other sites, leading to a collection of 1.2B stolen credentials. Meanwhile hackers based in China targeted pro-democracy websites, leaders and reporters, as well as businesses across the world. This year underscored that – to an attacker – money is good but information is priceless.
4. Everyone has a role
As CEOs plan for 2015, business operations and IT budgets need more dollars allocated to security – and not just for technology. Without C-suite buy-in, employees won’t take these risks seriously – leading to careless mistakes that can cause massive breaches and even bigger headaches. In this era of spear phishing and social engineering, one click invites hackers directly into a network. Employee education programs reduce risks, teaching workers to become more savvy about identifying malicious emails and social engineering. Companies must also understand the risk and invest in the solutions that protect the weak points. From monitoring threats to finding alerts and responding aggressively, security teams have a tall order to keep networks safe. Since tight budgets don’t allow for blanket security investments, CIOs need to carefully manage their defense solutions by choosing solutions that align with their teams’ skills and risk tolerance.
5. Traditional approaches aren’t enough
2014 demonstrated there is no silver bullet when it comes to protecting against threat actors and because of this, cyber security needs to modernize from just protecting the perimeter of a network to focusing on detecting malicious activity and quickly fixing the vulnerability. As cyber attacks shift toward data and destruction rather than just intrusion and theft, businesses need to develop a nimble response to on-going risks. The success with which companies combine advanced technology, expertise and threat intelligence will define whether 2015 sets up as the Year of Detection or the Year of Destruction.
The days of cyber security being the accountability of the IT department is truly over. It is a fiduciary responsibility to ensure your business is adequately protected from cyber threats that can destroy your business’ value in the blink of an eye. Boards need to make cyber security an agenda item before it becomes the agenda in 2015.
The author is chief technology officer, Asia Pacific, FireEye