“If security was about protection in 1990s , detection in the 2000s, then this decade is about responsiveness to incidents.”
This view comes from Bruce Schneier, a security expert and author of a dozen books. He believes organizations must get smarter, faster and better at responding to data security breaches.
The emergence and growth of drones in physical spaces overhead homes and organizations offers a reminder of smarter, faster and better response times over privacy and security concerns. Most individuals and organizations act quickly when physical objects fly overhead and observe or record audio and or video information. In other words, response time is fast.
The Wall Street Journal reports the Federal Aviation Administration predicting sales of 7 million drones in the US by 2020 up from the current 2.5 million in sales expected in 2016. The use of drones for personal and commercial purposes raises privacy and safety concerns, especially when flying over one’s home or a business. In one case in 2015, a judge ruled William Merideth had the right to shoot down a drone over his home, citing an invasion of privacy because it flew below the tree line.
According to A. Michael Froomkin, the Laurie Silvers and Mitchell Rubenstein distinguished professor of law at the University of Miami School of Law, quoted in the Wall Street Journal:
“Drones pose a huge threat to security and privacy, and that property owners should be able to keep them from flying over their land…Drones can film, record sounds or listen in on Wi-Fi and other signals, and no fence is high enough to keep them out.”
Concerns are warranted as drones continue to grow in popularity. Individuals and organizations are being vigilant in their need to detect, protect and respond quickly to security and privacy issues. The same diligence about privacy and security is not evident regarding our devices – computers, phones and gadgets – that are continually plugged into the Internet. Every day, we allow corporations to collect, analyze and sell large amounts of personal information about identities and where and how we live, work and play. When large amounts of information are stolen – whether financial or other – users have little or no recourse regarding their privacy and security.
Three trends are making it harder for organizations to effectively respond to threats.
1. The Cloud Era is Growing
The cost of computing continues to drop every year and more data continues to be stored. In his book, Data and Goliath: The Hidden Battles To Capture Your Data And Control Your World, Schneier says in 2015, a petabyte of cloud storage will cost $100,000 per year, down 90% from $1 million in 2011. This trend applies to both individuals and organizations, where cloud providers store every type of data possible.
As more data is outsourced to various cloud providers, complexity will increase and make it harder for organizations to respond effectively. This is because organizations no longer possess control to see the entire network clearly, as they did in the past. Also, most cloud providers don’t disclose the operating systems or hardware they use. Coupled with this, a wide range of devices and gadgets access information and the network today. As information is decentralized, the loss of control reduces the ability for an organization to effectively respond to a cybercrime.
2. Cyber threats are increasingly sophisticated
The strength and impact of attacks is growing. Regardless of attackers operating independently or with aid from nation states, their efforts are more focused, deliberate and skilled. Hacking is now intertwined with geopolitics and targets employees of multinationals and governments.
Today, attackers have the upper hand, according to Schneier for a number of reasons. First, it is easier to break than fix things. Second, as systems become more complex, finding gaps becomes more difficult. Third, automated systems result in more security holes, making them harder to find and fix. Fourth, computer security is complicated and average users are prone to human error and mistakes. This sometimes compromises the efforts of computer security staff.
In the past, criminals hacked into one computer to steal personal data. But today they break into large corporate databases, stealing the personal information of millions of people. This was the case with hackers breaching the retailer Target’s database and stealing millions of customer credit cards. Surprisingly, according to Schneier, many companies have lax security and don’t realize or take months or years to discover their data is being taken due to a breach.
3. Companies under invest in protection and detection
When thinking about corporate security, psychology and economics usually drives decisions. For example, if the cost of security is below the cost of losses, then security comes out on top. If the cost of security is more than the losses, then go with the losses. Most organizations realize that a successful attack or defense often depends on which side has the upper hand during the current technology and innovation period coupled with psychology and economics. In one period, momentum shifts to attackers, while in the next period, defense is stronger.
In the case of Target, hackers wanted to gain access to a large number of credit cards. If the network were more secure, the criminals would find another company with weaker security and breach that database, containing millions of credit card numbers.
Organizations – large and small – must become more resilient. Cybercrime is more sophisticated today. At the same time, information is increasingly decentralized and outsourced to third party cloud-based providers. The most effective way an organization can become more resilient is to integrate each security response into an overall corporate crisis management strategy and plan. This includes actionable step-by-step instructions to communicate for internal communication with employees and externally with, stakeholders, partners and cloud providers.