2015 was an eventful year for cyber security. Major vulnerabilities, including Superfish, "No iOS Zone" and CVE-2015-2502 made waves in the infosec community, as did a variety of criminal collectives – including Lizard Squad, Phantom Squad and DD4BC – that use distributed denial-of-service (DDoS) attack campaigns to get what they want. Let's also not forget the substantial data breaches that once again rocked everything from niche businesses to governmental institutions, such as the Office of Personnel Management; telecommunications providers, including TalkTalk and Optus; and producers of children's toys like VTech. The impact of these security incidents cannot be overestimated. Unfortunately, we can expect to see other events like them hit the headlines next year.
"Breaches are not going away any time soon,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “We have seen massive changes in the breach landscape over the last year, and chief information security officers should anticipate escalating threats in 2016."
"There’s zero chance we’ll escape the next year without significant compromises. Every organization needs to step up their cybersecurity programs. You won’t be able to improve your security posture without significant effort, and doing nothing doesn’t count as preparedness," he added. Erlin's comments agree with the findings of a number of studies, including the first ever Verizon Protect Health Information (PHI) Data Breach Report. This 2015 analysis found that by introducing encryption and access controls onto laptops/mobile devices, creating training programs that discourage insider threats, and developing error-reporting mechanisms for all employees, organizations that interact with PHI could at least partially protect themselves against 85 percent of the most common types of security threats confronting them. Clearly, a little effort can go a long way when it comes to security, and as Erlin rightly points out, a new year brings new opportunities for improvement. He therefore recommends CISOs make the following security resolutions in 2016: 1. Build a comprehensive breach response plan before you need it. If you don’t have a well-established, well-socialized plan for what to do after a breach is discovered, now is the time to develop one. 2. If you have a breach plan available, now is the time to test it. Run a simulation or use another methodology to test and review that plan. This is especially valuable if the breach response plan is old enough to need a revision. 3. Take your general counsel to lunch and talk about breach preparedness. When a breach occurs, the legal team needs to be ready to help out and be on your side. Set a date to either get the conversation started or keep the current one going. 4. Resolutions often slide, but in 2016 stick to them and get ahead of compliance. Policy and regulatory compliance aren’t exciting, but they can be costly and painful if neglected.
“It’s imperative that CISOs start thinking about the cost of doing business securely,” noted Chris Conacher, security analyst for Tripwire. “This includes tool costs and training the right people, as well as the cost of adding the appropriate checks and balances to existing business processes. 2016 needs to be the year where security becomes a fully integrated business process, not just an afterthought.”
To learn more about how chief information security officers can make security a priority in the New Year, please refer to our "Voice of the CISO" series, which includes the thoughts of Amar Singh, Thom Langford, Brian Engle and Robb Reck. Title image courtesy of ShutterStock