This content is part of a program managed by the Economist Intelligence Unit, sponsored by Accenture and Pegasystems. “Digital Evolution: Adapting Business for a Digital World” aims to shed light on the world of digital business—the strategic imperatives, challenges, complexities and pitfalls. All “Digital Evolution” content can be found here.
At first, U.S. officials publicly acknowledged that the personal data of 4.2 million current, former and prospective federal employees had been affected by a cyber attack at the Office of Personnel Management (OPM). Weeks later, the estimate grew more than four times to 18 million. Then it climbed again to 21.5 million. As data breaches go, the OPM may not be the biggest, but it is shining a light on how ubiquitous cybercrime has become. In fact, cybersecurity intrusions have become so common in recent years that some experts believe the emphasis should shift from prevention to detection. In other words, accept the fact that a data breach is inevitable—and has probably already occurred.
As businesses race to adapt to new digital strategies, they are creating cracks and flaws in their cyber setup, thus providing a prime opportunity for cybercriminals. This proved true in the OPM breach. Many of the changes recommended for the security of these records were hard to execute and manage and negatively impacted the user experience, notes Kim Singletary, Director of Product Marketing for Cloud at Pegasystems. Companies are embracing change, becoming agile, but they do not yet have a culture or reward system for ensuring collective success. Breaches result from targeted attacks, but are also enabled by change management issues and complicated systems integrations. Legacy systems and lingering technical debt also contribute to giving cybercriminals an opening.
Getting smarter than the bad guys
A more holistic approach to security, risk and change can help seal the cracks. Rather than implementing changes in silos—by business units, for instance—consider a continual review across all platforms, services and infrastructure. Invest in identifying where security risks occur throughout the organization, what business decisions and changes increase the possibility of incurring security risks and have plans for mitigating the scope of exposure. For instance, companies can use a big data approach to manage security logs and artifacts to identify long-tail intrusions after they occur—and remediate and learn from incidents. Up-front collaboration can also help. By sharing the facts of hacking incidents across industries and countries, companies can benefit from one another’s experience and learning.
Many organizations are now creating a new executive position: Chief Digital Officer (CDO). While these CDOs drive new designs for business, they also need to ensure that current and future changes continue to integrate security and delivery, notes Singletary. They must assure that the company culture evolves to integrate the realization that security considerations must be a part of digital transformation. These executives focus on how the business can expand and leverage social media; how technologies are fundamentally reshaping the way consumers behave; and how digital solutions can lead to greater efficiencies. But CDOs also must understand the risks and steer the course of change for short- and long-term effectiveness that minimizes risk in general and, specifically, exposure to security breaches.
As cybercrime continues to grow in profitability—now more lucrative than the drug trade by some estimates—companies must deploy more powerful security tools and put more stringent processes in place. Advances in machine learning, modeling and profiling are helping to some degree. “They’re getting better all the time,” Avivah Litan, an analyst with Gartner, says of detection systems. “I do have success stories with some of the more advanced detection systems. They are working.” Gartner predicts that by 2018, at least 25 percent of self-discovered enterprise breaches will be found via user behavior analytics, which, as in the credit card industry, flags anomalous and suspicious behavior within the system.
Therefore, switching the emphasis from prevention to breach detection is gaining new traction. “It’s something that has been accepted in theory by every security professional for some time,” says Anton Chuvakin, another Gartner analyst. “But, in practice, it’s been neglected. Companies have been trying to prevent attacks and then trying harder and failing harder.”
According to one Mandiant report, many companies have a poor track record in breach detection—only 31 percent of breaches were self-discovered in 2014, with the average breach taking 205 days to come to light.
“That’s the most concerning thing to me about security environments today,” says John Igoe, VP of Cloud Operations, Security and Technology for Pegasystems. “Most companies only catch a small percentage of breach situations or viruses,” he says. “It's the ones you don’t know about that present the greatest risk. Those are the sleeping dogs and once those dogs wake, they can really damage a business.”
Breach detection, however, has its limitations. In some of the headline-grabbing attacks in recent years, Chuvakin says the companies had ample warnings, but they were lost in a sea of sirens. “If you have 10,000 alerts about viruses, there’s actually a good chance that you have 10,000 viruses,” he says. But how do you determine the danger and threat of each?
While tools are getting better at surfacing only the most dire breaches, Chuvakin says human intervention is still required. With such systems, he says, a 90 percent false alarm rate is acceptable if you’re only getting 10 alerts a day. “If there are few alerts and the legitimate alerts are so valuable, then sometimes you have to accept the false positives.”
This is the reason that sound security approaches have to encompass tools and people, says Singletary. Although the C-suite is much more attentive to security issues, baking security into the overall strategy can still be tough to sell because it’s an additional outlay without a clear ROI, she says. “The technology absolutely is there, but it’s hard to get that investment, because it’s a risk mitigation effort and does not directly contribute to the bottom line or financial success of the company.”
A paradigm shift
Part of the issue with security in general is that many organizations haven’t educated all of their employees that in our digitally connected world everyone plays a role in providing security, Singletary says. One employee opening a single email can put an entire organization at risk, she notes. “There is a blur of responsibility from development and IT operations as there is a greater focus on agility, iteration and progress. But what seems to be missing from the conversation about digital transformation is the continued security assessment or security by design in the process,” she says. “Organizations have to share the data security responsibility across all functions to provide insight into how to minimize potential exposure and breach risks.”
This is a cultural problem, points out Singletary. It’s a cultural problem within individual companies, but also across industries as a whole. The vast number of industry-specific security standards and local, state and government privacy and breach notification requirements are actually harming the consumer and organizations. None of these help bring together those who are fighting the cyber war front line. “The reality is there’s not a single consistent way that organizations can say or note without penalty that they’ve had a breach,” says Singletary. “The technology still needs to mature, but the public and the financial community need to be educated and accept that the only way to reduce our collective digital risk is to be willing to openly share and discuss breaches of all sizes, scope and exposure.
“Until there is more collaboration, it’s going to continue to be a very closed-door, dirty-laundry affair,” says Singletary.
Ultimately, cybercrime risk mitigation and mishaps have to be included and disclosed like many other business risks for public companies where investments, changes in business and missed expectations are openly disclosed. “This will just be table stakes for the future of digital business,” says Singletary.
When rethinking a cyber-defense strategy, Singletary recommends that companies consider the following:
- Design security into all business processes. Start with a clear understanding of what data are needed, how they are being used and make decisions based on risk and the security needed for the data in question. “Today’s digital landscape allows for security decisions in application design, life-cycle data management and setting data owner responsibilities—in addition to utilizing best security tools and practices,” says Singletary.
- Implement a continuous education program for employees around data security. “We have a workforce now that assumes technology is good, mobile communication is their birthright and they readily share with social media,” says Singletary. Companies have to reinforce the value of data and intellectual property—and that protecting these assets is key to the future prosperity of the business.
- Be sure to address how changes in code, tools, integrations, use and ecosystems may open opportunities to cyber criminals. Assessment of risk and security has to be continuous. As competitive pressures place a greater emphasis on agility and iteration, companies must ensure that they do not compromise the business in the rush.