2014 was a year full of unprecedented cyber attacks in the U.S.
Big companies such as Target, Home Depot, Michaels, P.F. Chang’s and JP Morgan fell victim to data breaches, and 2015 is already heading down a similar path. Anthem, the second largest health insurance company in the U.S., announced a massive data breach on Feb. 5.
But big name businesses aren’t the only targets. A report published by the Ponemon Institute in September 2014 found that almost half of all U.S. companies have experienced a security breach of some sort in the past year. Hackers are out there, and they’re attacking businesses large and small.
I spoke with three cybersecurity experts about 2015 trends and what startups can do to keep their data safe this year:
1. Detection over prevention
In 2015, prevention is no longer enough to keep data safe from hackers.
“Hackers have gotten very sophisticated, and preventing breaches entirely is impossible,” says Nat Kausik, CEO of Bitglass, a leader in cloud access security. “Companies need a two-pronged approach balancing breach prevention and breach discovery and remediation.”
This year, the focus will shift from preventing attacks to detecting breaches and minimizing the harm they cause.
“This is a philosophical change that was brought about by the waves of breaches last year -- Target, JPMorgan, HomeDepot, Sony,” Kausik says. “Each of these companies invested a lot in preventing breaches, and yet got hacked. The average breach lasts 229 days entirely undetected. Catching breaches early can limit the damage considerably.”
Fengmin Gong, co-founder and chief strategy officer of Cyphort, an advanced malware defense company that detects and fights targeted threats, corporate espionage and IP theft, agrees that security needs to advance beyond prevention tactics.
“First we implement a ‘continuous monitoring and mitigation’ approach,” Gong says. “Next we identify all critical assets and the potential attack surface. Then we implement a detection and response solution and finally we implement an ongoing process for security posture assessment and improvement.”
2. Security literacy
Security starts from within an organization. Establishing safety practices and ensuring all employees are aware of them is key.
“Policy and education of the workforce goes a long way toward better security posture, especially in this age where advanced threat actors increasingly resort to social engineering tactics in their threat campaign,” Gong says.
He advises business leaders to instruct their employees to follow these basic practices:
- Keep the endpoint system and security software updated and enable auto update.
- Don’t install apps from untrusted sources.
- Don’t install apps as the device administrator unless it's necessary.
- Stop saying "yes" to all permission requests. Why should a news feeder access your contact list?
- Stay vigilant of what's running devices, and investigate suspicious activities
3. Cloud protection
As technology evolves, so will cyberattacks, and the next target may be information stored in the cloud.
“In this evolving mobile and cloud era, it is no longer about protecting your enterprise boundaries or devices, but more about protecting the assets themselves, wherever they may reside,” says Rehan Jalil, CEO of Elastica, a cloud security company. “As more and more valuable assets migrate to the cloud, cybercrime will follow.”
Although many cloud providers have sound infrastructures, Jalil suggests that organizations are still vulnerable through the standard username and password setup that allows full access to company data.
“Phished credentials, malware hijacking valid HTTPS connections, and malicious insiders are all very real threats and represent the easiest ways to attack corporate assets in the cloud,” he says. “Organizations would be wise to integrate a security strategy as part of their overall cloud strategy to ensure that they are adopting safe cloud apps and are taking proper data governance and threat prevention practices.”
4. Practical steps
When revamping cybersecurity efforts, Gong suggests startups take the following steps:
- Focus on the most valuable assets.
- Set clear goals.
- Adopt one process and one flow.
- Insist on tools to fit your workflow.
- Review and improve practices.
Although implementing data security can cost time and money, it is a critical component for businesses today.
“Putting comprehensive security solutions in place to protect your critical assets, including those stored in the cloud," Jalil says, "is a very small price to pay to avoid the massive damages we have seen organizations grapple with in 2014.”