How CIOs should prioritise their efforts around security, from budgeting and managing delivery of service through to working with the rest of the business
When it comes to securing the enterprise, CIOs certainly have their hands full. Whether it’s implementing new services, managing cloud computing and BYOD initiatives, tackling long-standing challenges like data protection, or protecting networks and applications against attacks, there’s plenty going on to keep a CIO awake at night.
However, the danger here is that when something like cloud computing or BYOD comes along and grabs the headlines, resources are directed away from serious security efforts, which puts the business in far more peril.
There’s a lot of investment – from both security companies and businesses – into securing the enterprise from threats targeting those emerging areas mentioned above.
But research has shown that it’s existing threats that are the root cause of security nightmares for CIOs. Nearly half (44%) of all breaches recorded in 2014 came via vulnerabilities that were between two and four years old.
Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years, or even decades ago, according to research by HP. Known bugs or logic flaws were the primary causes of commonly exploited software vulnerabilities, while server misconfigurations played an important role as well.
This leads to one of the top security priorities for CIOs: updating infrastructure quickly. The previously mentioned research shows that IT departments can neutralise up to 95% of attacks if they make updating their software a priority; updates should be applied as soon as they are available – ideally within two weeks.
For many, that generally means waiting for the second Tuesday of every month when the Microsoft Patch Tuesday rolls around. This is when Microsoft, Adobe and Oracle traditionally release updates and patches for whatever software vulnerabilities they’ve found and fixed.
With the new Windows 10, Microsoft is introducing technology that will further streamline the system of pushing out updates as quickly as possible, moving towards an approach that has become common already in the consumer world. We all know the almost daily cycle of updates we go through with the apps on our mobile devices, while Google Chrome users are already used to continuous updates installing in the background.
This style of fast and automatic update is a great way for businesses to ensure their software is as resilient to attacks as it can possibly be. Automating the update and patching process is a well tested approach to security and well accepted by end-users. However, the IT team has to be confident in the vendors that are supplying updates to them, and be confident that implementing updates won’t upset existing applications or services.
A second priority for CIOs at the moment is one that requires a bit of involvement from the end-user – but it’s one that can make a massive difference to the security of an organisation. It’s to do with improving management of credentials.
This is another area where the enterprise can learn from the consumer space. How many of us have to use some form of two-factor authentication (2FA) when we log into our online banking service? How about email or social media accounts? Having something as simple as a one-time code sent to your mobile device to enable log-on dramatically increases how secure an account is.
Stolen credentials are regularly used in hacking attacks. A recent breach of the German parliament network was enabled by the hackers gaining “administrator rights”, which essentially gave them unrestricted access across the computer network. It’s currently not known what information was accessed or who was responsible – from criminal gangs through to state-sponsored attackers – but fingers have been pointed in Russia’s direction.
Adding that second layer of protection, via 2FA or one-off tokens, won’t make an enterprise totally secure but it will solve a lot of these problems. These days, there really is no excuse for not using 2FA wherever it’s available – long ago, the cost ruled out all but the biggest, most security-conscious companies but that’s no longer the case. In fact, in most instances, adding 2FA support is free.
Adding 2FA is particularly simple for businesses that develop their own software and services in-house. And, this takes us on to our third CIO security priority: securing the development process. More and more businesses are developing their own software, believing that this approach offers the best way to ensure their requirements are met in the most cost-effective manner.
However, if the software development and programming are done internally, they need to be done in a secure way. This emphasis on security is important as it helps the business reduce risk and cut the need to re-work the software at a later date; if and when a vulnerability or other issue is discovered. As pointed out before, the majority of cyber attacks are launched through a vulnerability in an unpatched program, so removing those vulnerabilities reduces that attack vector cyber criminals can use.
There are plenty of courses available that teach developers specific skills that help with building more secure applications or services. If a CIO is going to prioritise developing in a safe and secure way then it may be worth investing in a course for their developers.
These three priorities are simple but incredibly effective ways of making the IT environment – and of course the business as a whole – more secure, and will make a huge difference to the organisation. Things such as automatic updates and enabling 2FA where available are simple to deploy. It’s really not that hard to be a bit more secure.
Sourced from Wolfgang Kandek, Qualys