The 2015 M-Trends report contains a lot of data points on what FireEye is seeing in the trenches of the most significant security breaches around the world. With so many breaches and so many headlines, the question you should be asking is, “How can I ensure I am not the next victim?” Let's take a look at a few of the findings to see what’s behind them. But what are the key takeaways for the CEO?
Lesson #1: No one is immune to advanced attacks.
This may sound cliché, especially coming from a vendor but consider:
· Not only did the retail sector see significant increases in activity (these made news headlines around the world), but we also saw many more victims in the business and professional services and legal areas. This shows a trend with cyber criminals targeting aggregation points of sensitive information, which should be a wakeup call to any organization that has outsourced back office processing, legal services, call centers, and customer service operations. Regulated industries can expect to see increasing scrutiny and heightened expectations for controls and oversight in third party operations, as the risk in the business supply chain is called into greater focus by major breaches. If you have outsourced access to your network, or give your sensitive data to a third party, how do you know if you data is protected from sophisticated attackers?
· The increase in attacks on law firms shows that some cyber criminals have worked out how to game the global financial system. M&A deals, patent grants, patent disputes – these are key to how businesses are perceived in the market. Having access to such market sensitive information can turn a hacker into an inside trader, leveraging the real world financial system to make money and distorting market transparency. Law firms, and the companies that hire them, should take steps to ensure that company secrets remain that way, by detecting and prevent advanced attackers from breaching their defenses.
· We also saw the healthcare sector coming under fire last year, and any organization with a lot of sensitive information is going to remain a target. While the high-profile breaches were victims in the U.S., healthcare providers around the world should actively ensure that they are not compromised, and put detection and response capabilities in place to defend against these threats.
Lesson #2: Ignorance is still bliss.
It is noteworthy that the time to discover a breach hasn’t shifted tremendously. The average 205 days it takes to detect a breach is skewed by the fact that well prepared organisations detect breaches constantly, and respond to them as part of the normal course of business. The 31% of businesses who detect these breaches themselves are doing something right, but still 69% of businesses find out because someone else identifies it first. Those businesses who detect the breach early can often prevent any business damage, can get in front of the problem with their legal counsel, media relations, customers, and regulators. Those who don’t might lose their most valuable business assets, market value, and even their jobs. Detecting breaches shouldn’t take days, weeks, months or years – if your business can’t detect and respond to breaches within minutes then your business is not protected from advanced attacks. As our own CEO put it, we are in a global cyber war.
Lesson #3: The time to rethink your security strategy was yesterday.
What is clear is that the metrics from the report paint a poor picture today, and we must challenge how we gauge cyber security success. If we believe we are in a good place yet the results from this report paint a different picture, either its not happening in your company, which through experience we see not to be the case, or you have the wrong success criteria. The moral? The way to improve is through ongoing assessment and leveraging third-party knowledge and expertise.
Suggested CEO or Board of Director Actions
Do you know how prepared your organization is? A direct conversation with the CISO is the best way to get started. Here are some possible questions:
· How are we securing outsourced back office processing, legal services, call centers, and customer service operations?
· How quickly can we detect and respond to advanced threats?
· Do we need to overhaul our approach to security?
· How do we qualify whether an incident should be escalated and who at a board level owns/supports that response?
· What is our acceptable risk level for the business and how/when have we qualified this? How frequently is this reported back to the board?