
Establishing Repeatable Security Programs in 2017
Written by CISOSHARE
December 29, 2016
25 min read
It was just in the year 2004 that we had released the CISCO Handbook. The book described the step-by-step methodology for building an effective information security program. When it released, we thought our team would create an information security consultancy to spread the word and help organizations in the practical steps and then we had meetings.
Upon our first meeting, and second and then the 30th, we all faced the same statement from different organizations:
“We are not ready for, what did you call it again, a security plan, or was it program, whatever you said, can we just get an assessment that tells us what we need and which meets our current requirements. “
Then in the year 2014, the environment of information security started to change. There were internet security attacks and this led many companies to bleed data loss and swell.
Suddenly, I received phone calls from all these organizations and people I previously had meetings with. Now, they were asking for effective security programs and that too fast.
The cost of doing nothing for the security of an organization has outweighed the costs of maintaining an information security program in an organization. This consideration will hopefully make the year 2017, a great year of security program development.
Check these trends in two primary buckets that will make organizations act in the year 2017…
Why Have Attackers Become the Best Market Researchers?
Market research basically means the activity of gathering enough information about a consumer’s preferences and needs. Organizations pay big amounts for external and internal market research. They seek to learn about their customer’s needs.
This pool of information is collected through research and surveys. However, market researchers need to follow certain rules to obtain such information.
There is very limited data to use since people are not always happy to share it with others. Attackers, for now, have breached 95% of organizations including Yahoo.
The Yahoo attack was one of the largest attacks, where more than a million accounts were compromised. In the year 2017, attackers will be seen using data from market researchers.
For instance in the case of the Yahoo attack, as an attacker, I would purchase millions of account in the black market. Once I crack a good number of accounts, I would run some of the research on what kind of emails are inside those accounts.
In other words, the information we can get will vary from banking to official documents to any transaction associated with the email at the vantage point. Since an email is a communication point, it can contain a lot of information about a person.
All these attacks will ultimately result in compromised and angry consumers. But this won’t just be limited to the customers, as a business to business lawsuits will also be affected, since breach at one company always leads to another.
The year 2017, for sure will be the year for lawyers, gaining so much from all these breaches.
Merciless Internet Attacks Will Continue to Haunt Companies this Year
Attackers having internet connection can anytime launch Internet-based breaches on any organization from anywhere in the world. These attacks are cheap to perform. Moreover, there is a large payout and the opportunity to harvest large amounts of data.
Organizations, especially those that have been performing this kind of research for information security are highly vulnerable. These attacks will continue.
These attacks are unrelenting and brutal to an organization. These are pretty much like the attacks on organizations that performed business over the internet and well, today almost every organization does that.
So, in the year 2017, organizations will be required to act more carefully. They will need proper security systems that will help them to protect their business. Protection is the main concern after the Yahoo breach.
The attack proved that even “secure” companies are actually not that secure from potential hackers.
The Internet is a big world where everything is vulnerable and exposed. To stay secure, it is necessary that organizations come under the protection of security systems.
In this next article, I will go over the top 3 ways organizations will act in 2017