Five tactics for security pros who want to be ready for the next threat

Identifying possible attackers is as important for your company's security as a good firewall

IT decision-makers face pressure on all sides. Whether from a board of directors, a company owner, a manager or their own inner critic, the demands to keep their company’s data safe from cyberattacks and other security breaches seem to get more daunting each year.

In its fourth annual Security Pressures Report, published this spring, U.S.-based digital security company Trustwave found that 53 percent of IT professionals faced increased pressure trying to secure their organization, compared to the year before. Participants in a survey of 1,600 full-time security decision-makers and security influencers in the U.S., Canada, the U.K., Australia, Singapore and Japan reported being worried about Distributed Denial of Service (DDoS) or other Web-based attacks, ransomware breaches, intellectual property theft and customer data theft. Damage to the reputation of their company, as well as fines and legal action that might result from a data breach, are also top of mind.

“This year we have seen several significant breaches that tracked back to specific code and companies not doing proper security checks on new code because they were trying to hit deadlines. These were breaches that would have been caught had they done appropriate testing,” says Christopher Schueler, senior vice-president of managed security services at Trustwave.

The 2017 Security Pressures Report makes several recommendations to help companies embrace forward-thinking approaches to IT security.

• Keep things in perspective. “One thing you don’t want to do as a security professional, or an IT professional with security responsibilities, is lose track of the forest for the trees,” says Schueler. For any corporate environment, it’s not a matter of if a security breach will occur, but when. Research suggests that the average breach goes undetected for more than 200 days, so remediation, containment and long-term planning are as important as prevention.
• Remain optimistic. Security professionals need to look past the dramatic headlines. Knowing who the attackers are and how they operate can help develop tangible strategies to keep networks and data safe. In the hospitality industry, for example, attackers often use spear phishing (targeted messages that appear to be a legitimate query, but which are seeing access to sensitive information) to exploit customer service agents who are so eager to help that they click on links they shouldn’t. By contrast, in the fast-food industry, the Cardholder Data Environment (CDE) network is often the most vulnerable part of a business’s operations.
• Follow the Five-Point Framework suggested by the U.S.-based National Institute of Standards and Technology: Identify, Protect, Detect, Respond and Recover. In the last few years, the “Respond” step has become more complex. “It’s not simply about identifying the malware and removing it, but identifying the origin of the malware, identifying what was potentially taken and whether the attackers moved laterally via the malware,” says Schueler, “and then determining the next customer and business decisions based on that analysis.”
• Get on the offensive. If a company is not using analytics to collect and analyze risk data and to hunt for potential threats, it may be failing to avoid the biggest risks. Some companies may “hack back” by reverse engineering an attack to determine who launched it, how they did it and, as a more extreme action, to collect information that can be handed over to law enforcement. “While hacking back may not be advisable for all organizations, you still need to be aggressive and offensive,” states the Security Pressures Report.
• Establish internal and external allies. Reaching out to competitors isn’t always easy, so many industries have created organizations that help companies share information. Internal company politics and siloed departments also get in the way of developing best practices. “Raising the conversation to the executive ranks and the board can create top-down awareness about sharing information that’s applicable to all business areas,” says Schueler.