IoT
IoT
IT Leadership // Security & Risk Strategy
News
2/18/2016
09:06 AM
50%
50%

Cyber-Security: The Best Plan Of Action To Keep Your Data Safe

Like a perverse iteration of Newton's third law, every clever cyber-attack action is always followed by an equally clever reaction from the organization targeted. Is that enough to keep your data safe?

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

The cyber thief develops a new advantage, breaks into an IT system, and swipes data. An enterprise spots the hack too late, figures out how it was done, and changes its defense to stop the hack from happening again. The defense holds until the cyber thief figures out the next work-around.

That is the action/reaction cycle. Like a perverse iteration of Newton's third law, every clever action is followed by an equally clever reaction.

Companies are getting wise to this, adding depth to their cyber-defenses to contain, rather than prevent breaches. Yet, there can be no change in strategy without a change in thinking first.

Flu Shot

"The cycle will continue, but that is not the end of the world," said Haiyan Song, senior VP for security markets at Splunk.

Security is not Splunk's first mission. The firm specializes in offering Software-as-a-Service-based big data applications. But in recent years, some Splunk customers have been using the platform for IT security.

[Get 4 Data Security Tips for CIOs.]

All it took was a change of thinking. Big data apps look for patterns such as insights that can lead to ideas about how to better sell a product or a service. Why not apply the same pattern-recognition capabilities to gain insights into who has been looking into data they have no business looking at?

"What we need is a mechanism for situational awareness," Song said. Once something is spotted that breaks the pattern of normal usage, the IT manager can respond by containing the threat. Here, Song falls back on biology to provide an analogy. The response would be no different than antibodies fighting an infection.

(Image: Henrik5000/iStockphoto)

(Image: Henrik5000/iStockphoto)

That, in turn has led to a shift in spending at the company. "Before, the money spent on prevention was four times [greater than] detection. Change the premise. We will never have airtight [defense]. Assume they are inside the system and let's invest in detection."

Looking Inside to Defend Against the Outside

Security is not enough. Vigilance and resilience have to be part of the solution, too. "We need a clearer picture of where the risks are and when we are under attack," said Ed Powers, US leader for Deloitte's cyber risk services.

Deloitte has counseled more than 1,000 clients in the past year about cyber risk. While boards and executives are paying more attention than they once did, and paying more money for security, their perception of the problem has not gotten better, Powers said. What, then, is adding to security risk?

"Over the last 15 years, we systematically connected our economy with the technology to share information, not protect it," said Powers. "It is possible to protect information, but it is costly to do it."

Next, no matter what business you are in, "you have to trust people," Powers said. "People make mistakes." Human errors and complacency create openings for malware to get in. Yet, "you have to continue trusting people," Powers added.

Finally, the connection between the organization and its strategic agenda magnifies cyber risk, Powers noted. "You can't afford to stop doing things," he said. "You are going to increase cyber risk over time." But you can't focus on securing everything.

Cyber-security gets especially tricky when one considers the "insider threat" -- the disgruntled employee who has access to your data. "How do you create a defense in depth and create vigilance without destroying a culture of trust?" Powers said.

At Deloitte, the cyber risk team works hand-in-hand with a human capital team, using behavioral psychologists to figure out what constitutes normal corporate behavior, and what does not. The challenge is to spot those workers who are acting

(Continued on next page)

William Terdoslavich is an experienced writer with a working understanding of business, information technology, airlines, politics, government, and history, having worked at Mobile Computing & Communications, Computer Reseller News, Tour and Travel News, and Computer Systems ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.