Where Did You Make Security Investments in 2014? How Are They Working?
Author: Fred KostAlong with companies like Sony, Target, and Home Depot, you probably made security investments in 2014 that may not be working as well as you’d like. Analysts’ estimates put the security investments for 2014 in the range of $71 billion and increasing in 2015 to $77 billion (Gartner Press Release, August 22, 2014). This amount reflects the costs of products and solutions, not the cleanup, penalties, and recovery that are required after a security breach. 2014 was a big year for breach recovery with significant outlays. Target has stated their cost after insurance would hit $146 million.Beyond Target, retail was also hit hard with a major breach at Home Depot. In total twenty major U.S. retailers were breached in 2014, not all making the headlines but all forced to respond and incur recovery costs. Financial services did not escape the breaches of 2014, with a major attack on JP Morgan Chase that exposed data for 76 millions households and 7 million small businesses. The government was even part of the cyber attacks of 2014, with about 12% of attacks targeting government.And 2014 is coming to a close with a major attack on entertainment and media that has had significant business ramifications that continue to evolve after the initial breach. If there were an academy award for most vicious and far-reaching attack of the year, the attack on Sony would certainly be a strong nominee to win.But all of these attacks did not succeed because the organizations failed to deploy security devices and security software in their network. The attacks did not succeed because their employees had zero security awareness of good security practices. The attacks did not succeed because organizations were caught by surprise that large-scale attacks could occur. It is more likely that these attacks succeeded because the organizations did not fully understand the risk nor take steps to remove as much risk as they could from their networks.Many organizations have successfully completed and passed an audit for PCI DSS or a particular regulatory compliance requirement that their industry must meet. The question they could not answer is “What have you done to assess your network’s security resilience and its contribution to risk reduction?” Perhaps organizations don’t yet understand security resilience and its role in risk reduction and strengthening security defenses. The short answer is that like metals that have resilience and can recover when bent or malformed, with security resilience an organization’s network security will perform under extreme and sometimes unexpected conditions such as those an attacker may use to breach the network. Security resilience can be built into the network and tested to reduce risk and become more resilient to attack attempts.The Sony breach would very likely take any security breach “academy award” for 2014, but making security investments to build-in and assess network security resilience is a great idea for 2015 security resolutions.