A recent Gartner survey of almost 3,000 CIOs across 84 countries produced a list of the top 10 priorities for CIOs in 2016. Security came in at number 7. At first glance this seems a little strange, since IT security isn’t exactly a new thing, but the IT landscape changed dramatically in 2015, and those changes will only continue in the future.
Cloud computing, the Internet of Things (IoT), and Big Data are all seeing dramatically increased use, presenting an exponential increase in possible cyberattack access points. Additionally, high profile attacks on businesses like Target and Home Depot showed just how vulnerable these data systems are.
In this post, we’ll look at some of the threats CIOs face in 2016, and strategic tactics that can counter them.
IT Threats in 2016
Multiple Access Points
Gone are the days when internal communication, discussions, and document sharing would only happen on a controlled network. Modern businesses run over a variety of publicly available systems, including managed email, Microsoft Sharepoint, Google Hangouts, Dropbox, social networks, iMessages, and more. If you stopped and looked at your communication avenues right now, we’re willing to bet that you could use at least 5 different sites to reach your colleagues.
Every single one of those avenues could be a point of attack, especially when you consider how many passwords we have stored on our devices. At this point, trying to clamp down on all of these would actually harm the company’s efficiency. All a CIO can do is build a strategy that includes countering these inherent risks.
2015 is seen by many as the year when cloud computing matured enough to be a go-to platform for enterprise applications. The increased efficiency and productivity that can come from cloud-based applications is phenomenal, but it’s not without risk. The first layer of risk is on the user level. By its very nature, cloud computing involves a large number of access points through a wide variety of protocols, instantly increasing the number of possible attack points.
The inner layer of risk is with the data servers themselves. Most cloud computing services involve shared server setups. An attacker can gain access to the server through another user with less secure protocols, then use that access to mount an attack on your data.
Organized Cyber Crime Rings
If attacks like this seem extremely strategic and organized, that’s because most modern cyberattacks are. In fact, 80% of modern cyberattacks are done by organized crime rings. Entire “crime models” have been built around accessing the valuable data found in corporate networks, including personal identification information, passwords, user IDs, intellectual property, payment information, and more.
A black market for this information is alive and flourishing, giving successful crime rings the capital they need to keep up attacks. These crime rings have the patience, resources, and skill needed to take down some hefty security.
Mobile App Security
The use of mobile apps is growing quickly, both externally and internally. Unfortunately, while companies are finding more and more uses for apps, their security measures simply aren’t keeping up. Almost 40% of large companies, many of them in the Fortune 500, aren’t taking enough precautions on apps meant for their customers. Even worse, 50% of these organizations didn’t devote a single dime of their budgets towards mobile app security.
With 80% of internet users owning smartphones, mobile apps are becoming more and more of a target every day. CIOs need to ensure that their security strategy includes keeping mobile apps and their data secure.
IT Security Tactics in 2016
Build a Security-Minded Corporate Culture
It’s easy for employees, contractors, and executives to get a little lax about security. After all, the whole point of an IT department is to take care of security and IT issues so the rest of the company can get on with their jobs. As a result, many workers don’t look at security as anything more than a few more annoying steps whenever they want to access something.
Change all of that by bringing them into the loop. Webinars, memos, meetings, or IT briefings can let everyone else in the organization know what’s at stake. When done correctly, it can empower employees to take an active role in security. The key is to find the right balance. You don’t want to terrify them and make them paranoid, but you also don’t want to use such specialized IT knowledge that they won’t know what to do. Start with a strategy that includes roles for all of your security assets, including the employees, then use that to formulate specific instructions that they can follow to keep the network safe.
Build Security into Your System
Adding security measures later on makes it easy for vulnerabilities to slip between the cracks. Waiting will also dramatically increase the cost of the security implementation, often multiplying the price by 10-100x. Even with a generous security budget, that spend could be used to greater effect if the security measures were built into the system from the beginning.
That means making security a top priority during the initial planning and strategy sessions. Security measures, monitoring, and programming should be built into the software so you can be absolutely sure that every possible hole is plugged. This becomes particularly critical when implementing tools like SharePoint that help organizations store and share intellectual security.
Built-in security also means building it into your system as a whole. One simple way to do this is with standardized and specified network settings to ensure that every workstation is secure. Another way is to replace legacy software instead of integrating it. Legacy software integration can leave security holes, and cyber attackers have learned to recognize these as a way into modern systems.
Build Responsive Systems
You can’t be everywhere at once, so integrate security measures that will always be there and always be protecting your network.
Any automatic or responsive measure is only as good as its foundation, so make sure that you integrate several passive best practices first. For example, restricting network access to specific ports and protocols will make it easier for software to monitor access points for malicious code. Taking measures to separate your data on the cloud will prevent issues with shared server space. A data inventory can help you find crucial business data so you can restrict that data to completely different storage locations from other, more regularly-accessed information. Once you have a solid base for your monitoring systems, you can work on building the responsive elements.
It’s not just enough for you to build a system that has strong security. You also need to have a strategy in place for what actions are taken when a breach occurs. Tactics like information silos will help limit the damage, while responsive measures can help shut down avenues to isolate malicious code before it does too much damage.
Build Your Strategy with Security Specialists
Don’t be afraid to reach outside of your organization, and don’t hesitate to bring in outside vendors early in the process. The security experts at AAJ Technologies can provide valuable insight that’s crucial to your security strategy. As discussed earlier, security measures that are built-in from the beginning will give you more security and lower implementation costs. So the earlier that you involve our specialists in the strategy and planning stage, the better results you’re going to get.
Want to find out how your networks can stand up to the threats of 2016? Schedule a free 2016 Strategy Session!