It should be a simple prioritization. In light of the increasing number of security breaches across industries, security should find itself at the top of the list of IT priorities today. From Target (News - Alert) to Anthem, from AshleyMadison.com to the U.S. Office of Personnel Management, and countless others, the number of breaches, and consequently, those impacted, continues to rise at an alarming rate. PwC’s 2015 Global State of Information Security Survey, in fact, suggests a 66 percent CAGR in detected security incidents since 2009.
While large institutions are obvious targets and tend to attract most of the malicious activity, smaller businesses should be aware of their connections to larger ecosystems. Sophisticated cybercriminals can, in fact, seek to exploit security weaknesses at smaller partners in order to infiltrate the entire ecosystem community—something most large businesses don’t typically look for.
And the one thing we can be certain of is that, as the world becomes even more connected, the frequency of hacks will only increase. WIRED’s Andy Greenberg, for instance, just published his account of sitting in a Jeep Cherokee while it was being hacked. While his scenario was voluntary, it highlights something we’ve known for years, yet obviously automakers haven’t taken seriously enough—the potential devastation if cars can be hacked.
Naturally, cost is an issue. But, when weighed against the potential damage from a breach, one has to wonder why so many businesses aren’t investing more in their security. Earlier this year, I discussed the issue with ViaWest’s CTO Jason Carolan, who suggested there is some willingness to spend more on security than in the past but, in most cases, it’s nowhere near enough.
“If you were to really take the [security related] events of the past few years as an important set of situations, if you didn’t at least double your security budget, you probably aren’t investing enough,” he said. “I don’t think an additional 20 percent is enough, because of the sophistication and the amount of layers you now need to orchestrate and protect.”
Incidentally, he also mentioned his own security budget had close to quadrupled over the past three years. He acknowledges proper security isn’t cheap, but says those that have appropriate measures in place sleep better.
And that brings me in a bit of a long-winded fashion, to what really prompted me to think about security today: a report from Randstad Technologies that shows a fundamental lack of regard for and understanding of the impact of insufficient security.
With an October 1 deadline looking for transitioning to EMV-capable technologies, the number of IT decision makers (42 percent) that have yet to being planning for the migration or have no knowledge of progress, is astounding. Even more astounding is that more than half are not concerned about the risk associated with missing the deadline, although that isn’t as surprising when you consider that more than a quarter of respondents feel that newer “chip and PIN” security measures are not more secure that older “chip and signature.”
“I’m surprised there's such a disconnect between companies’ seriousness about the EMV transition and their actions to make it happen,” said Dick Mitchell, Randstad Technologies Solutions Director. “I'm even more surprised that there is anyone – let alone 28 percent of respondents – who believe Chip and Signature is more secure than the technically superior Chip and PIN.”
Not surprisingly, the majority of respondents also believe the migration deadline and liability shift (at the deadline, businesses that have not migrated to EMV-capable technologies will be liable for fraud resulting from their lack of implementation) should be delayed. Will it help? Perhaps, for a few.
Historically speaking, however, businesses have not been willing to spend enough on security measures until forced into it, so it’s likely that a delay would only result in a similar situation 6 or 12 months later.
The bottom line is that, in a connected world, all involved parties—businesses, customers, vendors, financial institutions—bear the burden of responsibility for information privacy and data security. The only way it can be effective, however, is for each party to maximize its security presence to limit exposure. Or, the other way to look at it is, assume the other parties involved aren’t doing enough, so it all falls on your shoulders—or risk being the next in a long line of hacked businesses. Someone will, that much is certain.