Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.
The bad guys are winning. Numerous companies have been in the news recently because they failed to rebuff information security attacks. Target lost its customers’ credit and debit card data. Adobe lost its customers’ credit card information, along with IDs and passwords. EBay lost its customers’ personal information, including email addresses and physical addresses.
These breaches have caused disquiet in the minds of consumers and cost the companies themselves millions of dollars’ worth of bad publicity and damage to their brands, not to mention the costs of mitigation and restoration. And the breaches we know about could just be a fraction of the incidents. Companies have to disclose breaches of consumer data, but not the theft of their own internal information.
As long as there is valuable personal information at risk, hackers will try to access it, whether the goal is the immediate use of stolen financial data, the long con of identity theft, or just causing pain to companies and their consumers.
Unfortunately, there is a growing skills gap between those out to do harm and the average defender. Until the information security workforce catches up, we will continue to see the increasing success of sophisticated attacks. However, there are important steps the information security industry can take to slow and even reverse this trend. Here are four key areas to get you started:
Everything starts and ends with education
Education and research need to be improved at the college and university level to improve the skills of future information security professionals and to grow the number of individuals qualified to enter the workforce. Once those security professionals — the front line against malicious attacks — have been hired, employers need to invest in their continuing education and training in order to stay ahead of ever-changing security threats. Only such educated individuals will be able to predict the next wave of vulnerabilities and attacks, and design ways to combat them before they develop into a crisis.
Be smart about spending
It is crucial to make the most of our limited security budgets. With more and more critical data touching the Internet, increasingly well-funded cyber criminals have their choice of targets. High-profile companies are always going to be attacked, but small-and medium-sized businesses are now being targeted as low-hanging fruit. Though the rewards might be smaller, there’s a high probability of success and a low probability of being caught.
As an industry, we need to focus whatever security budget is available on the most likely threats. Though all companies must be aware of common threats like APTs and DDoS attacks, one of the biggest threats to us all is the under-educated employee. Whether it’s an executive who falls prey to social engineering or an IT guru who chooses not to use the best network configuration techniques, we often open ourselves up to preventable attacks.
Involve application developers
Increased security has a reputation for hindering an application’s usability, and as time and budget constraints work against the developers, security requirements get squeezed out of software development. There is a massive difference in building a computer application and building a secure computer application, though. Despite the immediate price tag, building security into an application up front is rarely more expensive than trying to make adjustments once the application is built, or cleaning up the mess once a vulnerability is exploited.
Get management to buy in
Even when the security pros are aware of what needs to be done, they can have trouble convincing management to allocate the resources to do it. We need to improve our ability to make a business case for better tools and better training. If you can’t talk “dollars and sense” to your CFO or budget analyst and navigate office politics, you won’t get anywhere. Part of improving education is improving a security professional’s awareness of not just the theoretical importance of security, but security’s return on investment. When you can show executives specifically how security can save the business money, or even save their jobs, you are now speaking their language.
The very public breaches of the past year have caused a lot of damage to companies and individuals, but perhaps they have been a blessing in disguise. If these cyberattacks serve as a wake-up call to the security industry and the businesses we support, precipitating an improvement in our education, budgets, tools, and methods, then we may be able to avoid even costlier and more dangerous breaches down the road. Lost passwords and credit card data will be the least of our concerns if cyberattacks become the weapon of choice in nation-state attacks or ultimately damage the country’s critical infrastructure.
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior for over five years. Mr. Tipton can be reached at[email protected].