×

As cyber attackers get more sophisticated and targeted, organizations need to step up their own efforts to be secure, vigilant, and resilient.

Mike Denning, vice president of global security at Verizon Enterprise Solutions, and Ed Powers, U.S. managing principal for Cyber Risk Services at Deloitte & Touche LLP, discuss trends in cyber threats, data security, and the findings from Verizon’s 2015 Data Breach Investigations Report (DBIR), among other topics.

What trends in cyber threats should organizations have on their radar?

Denning: In a trend known as targeting, individuals inside organizations who are known to have access to privileged information—chief financial officers, heads of HR, board members, and other senior leaders—increasingly are the target of specific, focused cyber attacks. Attackers may also target certain data types including financial data or personally identifiable information (PII). Whereas in the past, perpetrators used a tactic known as ‘spray-and-pray,’ striking very broadly with the hope of hitting something, now their attacks are much more focused and refined. Our recent DBIR found that 70 to 90 percent of malware samples were unique to a specific organization.

Detecting these new types of threats is difficult because organizations generally rely on signature-based technologies that employ pattern matching, or identifying new threats by comparing them to attacks seen in the past.

Powers: To Mike’s point, when an attack is highly targeted and customized to a particular organization, it becomes harder to identify and can be difficult to recognize as suspicious. In today’s environment, attacks are to some degree inevitable. So rather than focusing exclusively on securing, we use a broader construct we call Secure.Vigilant.Resilient.™ To effectively manage cyber risk, organizations need to be not only secure but also vigilant, which means getting much better at identifying potential incidents and anticipating attacks. And they need to be resilient by improving their ability to respond quickly, and minimize the business impact of an attack.

What are some of the biggest challenges or missing protocols among organizations in managing cyber security?

Denning: Many organizations haven’t planned their response in the event of an attack, and haven’t run through war gaming or other exercises to help them prepare. There are many important issues to consider: What do we do? Whom do we engage? How do we preserve the evidence and information? Or if they’ve done some planning, they may not have involved all the necessary stakeholders. For example, organizations often don’t involve forensics investigators until after an attack has been discovered. Or they don’t enlist the help of a neutral third party to perform the forensic investigation, relying instead on whomever set up the defense.

Other often-overlooked stakeholders outside IT or operations include marketing (for effects on brand), PR (for communications with employees and customers), and legal (for retaining evidence for prosecution or for assessing financial damages).

Powers: Many organizations also struggle with monitoring, which can help to identify incidents more quickly. Additionally, communication protocols, for sharing information inside and outside the organization and for decision-making in the heat of battle, often are not well-structured. Sometimes organizations focus on the technical dimensions of the response but don’t adequately consider the investigative, business operations, public relations, or regulatory perspectives. We’ve seen examples of organizations that were unprepared for the extent of the damage to their businesses, and how protracted the recovery process can be.

In this year’s DBIR, were there any findings that surprised you or indicated new areas of concern?

Denning: One of the biggest surprises was the finding that 99.9 percent of the exploited vulnerabilities had occurred more than a year after a patch, which quite possibly would have prevented them, had been published. Organizations are finding it difficult to maintain the latest patch releases. Additionally, the finding speaks to the challenges of endpoint security.

Today, coverage is more important than speed because, through scanning and other methods, attackers are able to find the weakest link in the chain and then quickly move laterally within the organization. For example, having a “Patch Tuesday” is not as effective as a programmatic, systematic, and controlled patch release where you make sure you are covering 100 percent of your endpoints.

Are boards as involved with cyber issues as they should be?

Powers: Boards and executive teams are increasingly aware of cyber threats, but many still don’t fully appreciate the threat landscape. When they look at their business operations and their critical assets, they may not understand who would want to come after them, what their motivations might be, and what is at stake. Moreover, an organization’s key strategic initiatives are often what open them to new risks. It’s really important for boards and executive management to promulgate an understanding of what they are trying to protect against, and to ensure cyber risk is considered as an integral component of business strategy.

Related Content

“Public, Private Sectors: Join Forces to Fight Cyber Crime”