In the face of increasing cyber attacks, information security suppliers and information security professionals are being urged to rethink their approach to IT security.
Despite the rising costs of cyber attacks, security experts have routinely underlined the fact that many businesses are still not understanding the risks and are still not getting the basics right.
Some commentators believe that only the fall of a global firm will shake up cyber security, while others have predicted a major cyber attack in the next five years.
Some reports have suggested that UK firms are still not on top of cyber attacks, that many firms are not getting to grips with third-party security risks, and are not keeping up with new attack methods.
Throughout 2015, there has been a growing emphasis on the fact cyber attacks are increasingly a threat to the global economy and that security is as much a business issue as it is an IT issue.
2015 has seen a renewed emphasis on IT security alignment with business, and need for IT security to be a driver of business innovation and growth.
In terms of strategy, information security professionals are being urged to assume that their organisations will be breached and to focus on breach detection and business resilience.
But as most companies lack the required resources, some commentators predict widespread adoption of managed security services.
In addition to ensuring security basics have been done properly, information security professionals are also being encouraged to adopt emerging security technologies, and to pay attention to risks introduced by the internet of things, web applications, insiders, suppliers, and third parties.
Behavioural analytics is one of key emerging technologies that has seen significant investments and product announcements in 2015, while cyber insurance policy requirements and European data protection and cyber security rules is expected to have a significant impact on the way companies handle data.
Here are Computer Weekly’s top 10 IT security stories:
1. UK companies still not on top of cyber attacks, says PwC report
UK companies are not yet on top of cyber security incidents or their causes, according to PwC’s Global State of Information Security Survey 2016.
Nearly 10% of UK companies do not know how many cyber security attacks they had in the past year and 14% do not know how they happened, the survey shows.
2. RSA undergoing aggressive transformation, says Amit Yoran
RSA, the security division of EMC, is undergoing an “aggressive” transformation process, according to company president Amit Yoran. Just three months into the job at RSA Conference US, he committed to changing the paradigm under which the security industry has operated for years, starting with re-engineering RSA itself.
According to Yoran, the information industry is fundamentally broken and needs to change the way it operates. “We’ve got a very clear vision and focus for the company, and of the critical needs in the security market and how those and the threat landscape will evolve,” he told Computer Weekly.
3. Why the time is ripe for security behaviour analytics
Behaviour analytics technology is being developed or acquired by a growing number of information security suppliers. In July 2015 alone, European security technology firm Balabit released a real-time user behaviour analytics monitoring tool called Blindspotter; and security intelligence firm Splunk acquired behaviour analytics and machine learning firm Caspida. But what is driving this trend?
Like most trends, there is no single driver, but several key factors that come together at the same time.
4. Few cyber attacks sophisticated, says Telefonica security chief
Most big data breaches are enabled by spear phishing and a lack of capabilities to detect and respond to intrusions, not sophisticated malware or attack techniques, says Telefonica’s head of security.
“Most so-called sophisticated attacks can be traced to an email sent to the right person with the right content,” Chema Alonso told Computer Weekly.
Many of the recent big breaches, including the December 2014 hack of Sony Pictures Entertainment, he said, have been enabled by a carefully-crafted spear phishing email.
5. Home devices threaten enterprise data security, warn researchers
Poor security on millions of ADSL routers and other devices used by teleworkers represents a threat to global enterprise information security, researchers have warned.
Unscrupulous internet service providers (ISPs) distribute routers that often have several security vulnerabilities, Cisco consultants Kyle Lovett and Dor Tumarkin told the CrestCon & IISP Congress 2015 in London.
6. Many firms still fail to test and secure web applications, says Rapid7
Many organisations are still not testing their web applications to ensure they are secure, according to Dan Kuykendall, senior director, application security products, at Rapid7.
Of those organisations that are testing web applications, many are still using outdated methods that were developed for early web applications.
7. Business will have to embrace security as a service, says Gartner
Businesses will increasingly be forced to adopt cloud-based security services to take care of the basics, so they can concentrate on more complex threats, says Gartner.
This is one of several security-related trends that will emerge and grow in the coming year and beyond, analyst Earl Perkins told the Gartner IAM Summit 2015 in London.
8. APMG opens door to military-grade cyber security assessments
A military-grade cyber defence capability assessment tool (CDCAT) is being made available to commercial business through global certification and accreditation organisation APMG.
The CDCAT cyber security management and maturity assessment tool was originally developed for the ministry of defence (MoD) by the UK Defence Science and Technology Laboratory (DSTL).
9. Cyber insurance will drive better security, says Raytheon-Websense
Cyber security insurers will create a more definitive model of risk measurement and management, changing how security is defined and implemented, according to the 2016 Websense Cybersecurity Predictions report by Raytheon-Websense.
“Businesses will need to better understand what is expected of them if they were to consider a cyber insurance policy,” said Carl Leonard, principal security analyst at Raytheon-Websense.
10. MEPs close deal with EU Council on first EU-wide cyber security rules
European negotiators have reached an agreement on the draft text for the Network Information Security (NIS) directive, the first cyber security rules for the European Union (EU).
Online marketplaces such as eBay and Amazon, search engines such as Google and cloud service providers will have to ensure they are secure and report serious breaches, under the rules agreed between internal market MEPs and the European Council of Ministers.