Threats to companies’ information security are accelerating at a significantly faster pace than the security enhancements those organizations are making, according to a recent Ernst & Young survey. Seventy-seven percent of respondents indicated an increase in external threats, and nearly half (46%) said they have noticed an increase in internal vulnerabilities.
“The bad actors are leaping ahead, and there are more of them,” says Chip Tsantes, a principal at Ernst & Young. And their motivations are different from what they were in the past.
“It’s one thing when you were dealing with criminal networks who were looking for credit card numbers or to drain bank accounts,” Tsantes says. “Now we have anonymous groups and certain nation states that are behind attacks against financial services companies, not for monetary gain but just to harass or try and get other information or disrupt the economy of the U.S.” He adds that such groups are also targeting the defense, energy and telecommunications industries.
With a number of cyber attackers, each with different targets, “the scope of what you need to protect has increased, the complexity of protecting it has increased, the sophistication of the bad guys has accelerated and then throw into that cloud computing, mobile, bring your own device, and it’s not as simple as it used to be,” Tsantes says.
All of these factors emphasize the need to develop a robust security architecture framework, according to Ernst & Young. That includes both business and technical constructs to keep an entity safe, secure and nimble so that it can react to new or different threats as they emerge, Tsantes says.
It’s also critical that the business and the executives in charge of risk partner with IT on information security. Yet according to the E&Y survey, the information security agenda continues to be led by IT rather than being focused on the overall business strategy. Just 38% of the companies surveyed align their information security strategy to the organization’s risk appetite and risk tolerance, according to the survey.
“When I talk to companies about where they are spending their security dollars and the top 10 things they’re trying to protect, it’s rarely the case that there’s a strong correlation,” says Tsantes, pictured at left. “That speaks to the need to get the risk team involved in setting those priorities and understanding where you’re going to concentrate your spending and your people.”
Tsantes says he has seen a couple of companies whose risk groups played a key role in information security involving intellectual property by spotlighting that as sensitive information and identifying that it could be accessed simply via a base credential. “We were able to add additional hurdles to get to that intellectual property so if someone compromises their account, they still couldn’t get to that information without an additional factor, like a fingerprint or a token or other strong authentication,” he says.
One of the most striking trends in information security involves the significant increase in efforts around threat and vulnerability management (TVM) by financial services firms. Many more companies are doing exercises where they take a very sophisticated attack scenario, get the business and IT people in a room and run the exercise, Tsantes says. Based on that, the company builds a playbook so that if an attack actually happens, they have guidelines for defending against it and communicating with customers, the C-suite and the board of directors, he explains. “We’re seeing a lot of proactive and reactive activity in this TVM space.”