According to a study released last month, the cost of cybercrime rose 19 percent in the past year, and the average company is now spending 82 percent more defending itself than it did in 2009.
And yet that’s still not enough. State-sponsored actors have increased their attacks on corporate targets, and the sophistication of financially-driven cybercriminals has increased exponentially in the past few years. The recent JPMorgan-related indictments revealed a stunning level of coordination among a global network of cybercriminals, enabling them to siphon up hundreds of millions of dollars. And it’s now easier and cheaper than ever for criminals to launch cyberattacks. Even children’s toys can be hacked, revealing highly personal data about millions of parents and their children.
As a result, companies are barely keeping their heads above water. A recent survey by the Ponemon Institute showed that advanced threats don’t typically get resolved until 98 to 197 days after they’ve been discovered. This is more than enough time for a determined hacker to get inside and wreak massive damage. What’s more, many attacks go undiscovered for years.
Add to that a recent story by SC Magazine asserting that between 300,000 and 1 million cybersecurity jobs are currently vacant. There simply isn’t enough talent to fix all the holes in corporate America’s cyberdefenses.
It’s past time for companies to use technology in a smarter way to get the job done. Here are four principles for building strong security into your company.
1. Trust no one
Looking beyond the corporate perimeter requires solutions that monitor everything actively, even in trusted parts of the network. Google and others are starting to build security protocols on a “zero trust” model: the assumption that people and devices connecting through the corporate network cannot be trusted any more than anyone on the Internet.
And yet you can’t even trust Google. While it and other providers of cloud-based services have excellent basic protections, they still have weaknesses, which means customers share responsibility for security with their cloud providers. For instance, unless your IT department is vigilant, a terminated employee might continue to have access to shared Google documents and Salesforce data records for weeks or months after they’ve left the company, making the ex-employee a target for outside hackers – or a threat in their own right.
Companies need to take responsibility for their own security, even when (and especially when) using cloud-based tools. Some companies offering additional security on top of cloud-based services include FireLayers, Adallom (recently acquired by Microsoft), Netskope, Skyhigh Networks, Elastica (recently acquired by Blue Coat), CipherCloud, and BitGlass.
2. Store as little as possible
Companies need to avoid storing the personally identifiable information (PII) of consumers as much as possible. For example, if you need to handle e-commerce transactions online, use a service like PayPal that lets you process transactions without ever storing a customer’s credit card details. That puts the burden of securing customers’ information on PayPal instead of your own IT department. PayPal, of course, is not the only choice: Google Wallet, Dwolla, Stripe, and others also provide a similar benefit.
For companies that do need to store sensitive information like PII in their servers, consider implementing several complementing data security technologies to cover as many attack vectors as possible. For instance, sensitive data should be encrypted, and you also need to make sure your identity management and access management tools are up to date. And you should monitor user behavior, which brings us to the next section.
3. Respond rapidly
Companies can respond far more rapidly through using automation. We estimate that rule-based security automation can shut down as much as 80 percent of current hacker intrusions, enabling those rare, expensive security professionals to focus their efforts and time on the most sophisticated and severe attacks, while minimizing the amount of time they spend on false positives and routine incidents. Automation like this increases the productivity of cybersecurity professionals. Companies in this category include Hexadite, Resilient Systems, Invotas, Swimlane, Bit9 + Carbon Black, Access Data, and Guidance Software.
[Disclosure: Our firm is an investor in Hexadite and FireLayers.]
4. Engage executive leadership
None of this will happen without the support and leadership of top executives. If the CEO and executive team don’t make cybersecurity a priority, it will always remain an afterthought, implemented only after other priorities. And that can lead to disaster, as examples from Target to JPMorgan to Sony Pictures have shown.
A great illustration of how cybersecurity has become a serious concern for business executives is the cybersecurity insurance field. The market for this kind of insurance barely existed until several years ago, yet is projected by consulting firm PwC to reach $7.5 billion in revenues by 2020.
Despite the litany of shame and chaos, there are many companies showing leadership in establishing good security practices and protecting their data and that of their customers, Box, Cadence Design Systems, Netflix, Graham Holdings, Morgan Stanley, and PayPal. It’s not an impossible task, just a difficult one. Start preparing now, before the breach happens.
Yoav Leitersdorf and Ofer Schreiber are partners at YL Ventures, which invests early in cyber security, cloud computing, big data and Software-as-a-Service software companies.