Some security leaders argue there is little point in worrying about emerging threats when businesses can't defend against today's attacks.
INTEROP ITX - Las Vegas - New technologies like machine learning, artificial intelligence, and IoT will drive the scale and complexity of cyberattacks. Businesses have every reason to be concerned as the threat landscape continues to grow.
But does it make sense to stress over advanced threats when organizations can't defend against the attacks they currently face?
"A lot of the security threats we face day to day are not fancy, sexy, technologically new stuff," says Anthony Aragues, vice president of product management for Anomali. If these issues were written down, they would be perceived as obvious, but they remain problems.
"We're reminding people -- hey, taking the right steps is important," says Diana Kelley, global executive security advisor for IBM Security. "Threat actors are a lot more motivated than they were 15- to 20 years ago."
Today's users are so dependent on software and connectivity that security disruptions will become increasingly palpable going forward, Kelley says. If an operating system is vulnerable, any business in any industry can be at risk. Hackers don't need to discriminate.
Many organizations, especially small- to midsized businesses, don't really plan their security architecture. In her Interop ITX Cybersecurity Crash Course presentation "Securing Your Enterprise Infrastructure," Dawn-Marie Hutchinson, executive director for the Office of the CISO at Optiv, posed a question to a room packed with IT pros: "Who here has a security strategy?"
Silence. Maybe one hand.
"Every organization right now needs help," she said, noting how attacks are getting easier and cheaper to launch, and more complex to face. "We have more information than we've ever had before, about what's coming after us and how," yet most organizations have immature security strategies.
Attitude is at the root of many security issues organizations face today, Anomali's Aragues explains. It's common for businesses to push security issues to one part of the organization and forget about them. The business often sees security costs as overhead that don't bring value.
"The overall trend that bugs me about security is companies expect it to be handled by the security department," he continues. "We're going to have a problem as long as that's the case."
Last week's WannaCry ransomware attack is a prime example of how businesses aren't putting basic security measures in place. They need to be running only updated operating systems - not older, no longer supported ones like Windows XP - and shut off unnecessary system processes.
"We can blame the Shadow Brokers for leaking NSA vulnerabilities, but there's still the issue of people running old operating systems and leaving open services they don't need to have turned on," he continues.
Individuals and businesses are more connected than ever, but they don't have the security awareness to protect themselves. Organizations can't predict the aftershock of a cyberattack when it hits, explains FireEye CEO Kevin Mandia.
"The vast majority of companies really don't know what happens when you pop off the grid," he says. In his Interop keynote, he emphasized how security hygiene is lacking if a server message block (SMB) exploit can infect more than 200,000 machines, as it did in WannaCry.
Will the latest massive, global cyberattack be a wake-up call? It depends.
The companies who will take action following WannaCry will be those who already have a plan, says Aragues. If they had a strategy in mind and only needed a budget, for example, they can now make some real progress. Those who weren't thinking about security before WannaCry will be playing catch-up and fall behind in all they want to accomplish.
Hutchinson urged tech leaders to build stronger relationships with their business teams. You can't create a business-aligned security strategy with lack of expertise and immature programs, she said.
"The way we used to do things doesn't work anymore," Hutchinson explained. "Think outside the box. The most effective moves aren't always the most natural or comfortable."
Organizations should create three lines of defense in their fight against current cyberattacks and new threats on the horizon. She suggested the following:
- Build a highly trained team: Fight for budgets to attend security-focused events, where your team can learn news and information about threat intelligence.
- Information risk office and steering team: This division defines and enforces security policies, manages information risk, and oversees industry and regulatory requirements.
- Internal and external audit team: To ensure all policies and procedures are effective from inside and outside the organization.