The front lines of the data security war have shifted. The threat today reaches beyond the traditional security perimeter and deep within the assets at the core of the modern enterprise. The problem is that the measures most companies currently have in place to protect themselves have not kept pace with the growing sophistication and penetration of these threats.
Until recently, most organizations have managed to reliably protect their data with straightforward defences at the edge of the network. Now, however, the proliferation of data attached to enterprises and their customers – due largely to peoples’ use of web-connected devices for so much of their work and personal lives – has bred an increasingly lucrative information black market, which has in turn motivated hackers to target valuable data no matter where it resides in the business.
These highly motivated and specialized individuals have been successful to date, and now form part of a booming layered economy. They continue to find innovative ways to steal and monetize valuable information while meeting little resistance from their targets. In fact, it is estimated that today the black market for data is more profitable than the illegal drug trade .
Businesses cannot afford to remain susceptible to this growing threat. IT decision makers need to step up security to protect their own interests and those of their customers. This will involve extending their security infrastructure to the people, data, and devices that make up their organization. That’s not to say that traditional network defenses such as switches and firewalls are ineffective, but that they have come to represent only one layer in an effective inside-out approach to security.
According to a recent report , only 24 percent of security breaches exploit network security vulnerabilities. More often, 76% of the time in fact, hackers use real credentials to "legitimately" penetrate an organization, flying under the radar as a legitimate user. With many privileged users using weak passwords and sharing them with colleagues in the name of efficiency, this supposedly confidential login information has become relatively easy for hackers to steal.
This reality was brought to the world’s attention in a less than subtle way last year, when JP Morgan experienced the largest data breach of US bank to date due to the simplest of lapses in security. Those responsible for the leak did not have to hack their way into anyone’s personal account, at least not directly; they were able to get their hands on one victim’s login details through phishing attacks and as a result were able to access account information for roughly 83 million household and small businesses.
And yet, businesses that store some of the most valuable forms of data available, from internal financial records to sensitive customer information, continue to devote roughly two-thirds of their security resources to simple network controls at the edge of the network.
Virtually all professionals today rely on Google to source information and use web-based apps to do their work, and as such are exposing themselves – often inadvertently – to malware downloads, cross site scripting, and phishing attacks many times each day. Much like on the internet, where the onus to protect users from these threats lies with the owners of individual websites, it will fall on businesses to shield their apps and data from hackers while providing employees access to the information and resources they need to work most effectively.
A modern data security strategy must therefore start from the inside out, and must include measures around databases, applications, mobiles and tablets, and in fact all the systems where data resides. So what does the ideal secure enterprise look like? In truth, the IT community is still working on it, but there is an ideal. The end game is for every employee, customer, contractor, and casual user that works for or interacts with a business to have their data governed with the same level of control.
Electrabel, a leading energy utility in Belgium, is one organization on its way towards achieving this . The company recently consolidated smart meter access for its millions of customers on one central access management system. With virtually anyone owning a smart thermostat having access to the network, Electrabel knew it needed to address the very real threat of a data breach. The utility moved security higher in the stack to the access control layer and established robust security controls around its mobile and web applications. As a result, while customers and would-be hackers alike can access the network, the latter cannot gain access to customers’ login information and tamper with any legitimate accounts.
What Electrabel did was to reframe the security problem, an example that businesses today should follow by first accepting that both "good guys" and "bad guys" will access their network. Rather than trying to lock the bad ones out, a better approach is to secure everything of value on the network so that criminals can’t gain access to it. For a security-oriented enterprise, there will be no greater victory than knowing that even if hackers do manage to breach their perimeter controls, they will walk away empty-handed.
That’s the direction security is headed in, and where companies will soon find themselves if they rethink their tactics and start building strategic defenses where they’re truly needed.