The cybersecurity world is at a crossroads in its evolution. In the same way that concentric castles, with inner and outer walls, were built in response to advances in siege technology, a new approach is required for cybersecurity due to the evolving nature of today’s threats. This new approach should combine the existing tenets of “converged security” and “defense-in-depth” with the new tenets of “zero trust” and “adaptive perimeter”.
In recent years, traditional “perimeter-based” security models have been rendered less effective by two evolving forces: the increasing sophistication, frequency, and scale of cybercrime and the rapid adoption of new, disruptive IT technologies such as social, mobile and cloud. In addition, the next wave of emerging trends, such as the Internet of Things, wearables, and software defined networks are challenging and, in some cases, eroding the traditional perimeter model even further.
Perimeter-based strategies are now many years old and today’s cybercriminals can simply go straight to the end user, their devices and applications, to get their data.Taking just one example, the IoT opens up a whole new attack surface and set of vulnerabilities for hackers to exploit. Cyber risk scenarios include theft of sensitive data, introduction of malware, and ultimately “command and control”-style sabotage of connected, controllable devices. In addition, the threat intensity increases as IoT devices become more controllable and more autonomous.
CISO challenges & considerations
The net effect is that today’s market forces and challenges are forcing many organizations to re-think their policies for sensitive data protection and their overall cybersecurity response in terms of future investments and operations. The issue is so severe that Gartner predicts that, if things stay the same, “by 2020, enterprises and governments will fail to protect 75% of sensitive data, and will declassify and grant broad/public access to it”. Of course, some of this may be due to data that’s incorrectly classified in the first place, but you get the general point.
In addition, consumers are becoming increasingly concerned about identity theft and data breeches. The recent retail point of sale malware incident compromised over 70 million identities and the biggest case of cyber fraud in the U.S., just last year, compromised 160 million credit cards with losses in excess of $300M. All in all, according to a sponsored survey by the Ponemon Group, the average annual cost of cybercrime per company has risen from $6.5M in 2010 to $11.6M in 2013.
In the latest Unisys Security Index, we found that nearly 60 percent of Americans surveyed say a security breach involving their personal or credit card data would make them less likely to do business at a bank or store they commonly use. (Disclosure: I am employed by Unisys.)
Sign up for CIO Asia eNewsletters.