Despite the increasing importance of information security, IT pros are struggling to control risks on a limited budget. The Ernst & Young 2015 Global Information Security Survey reported that for 62% of CIOs, budget is the biggest security barrier. Nearly 75% believe a budget increase of 50% or more would be necessary to adequately protect their company.
Why Stagnant Security Budgets are a Serious Issue
What's the impact of a stagnant, declining, or tiny information security budget? For many companies, the pinch is felt in several distinct areas:
- Detection and Incident Response Difficulties
Only 24% of organizations have 24/7/365 monitoring set up. It takes 75% of organizations weeks or even longer to discover security incidents with data loss. This can maximize the damage, and also result in the embarrassment of initial incident discovery by law enforcement personnel.
- Fewer Qualified Security Staffers
Nearly 35% of organizations report they don't have enough staff for their security programs. Analysts are predicting a 1.5 million person talent gap by 2019, which will result in nearly 1/4 of positions left vacant. For companies with a limited budget, wage pressures can make it difficult to recruit experienced talent.
- Difficulty Training End-Users
There's conflicting research on just how many organizations are performing security awareness training for all users, in compliance with PCI-DSS requirements. Some researchers report that 90% are training, while other surveys put the number closer to 56%.
Regardless of where the truth lies, the issue is probably more with the effectiveness of training than simply checking a box off your to-do list. Employees are more likely to click on malicious links in phishing emails than they were a year ago, which indicates they may not be absorbing knowledge from training. However, better behavioral-driven training, hands-on exercises, and metrics all require resources that may be absent in some organizations.
- Inadequate Mobile Protection
For many companies, employee-operated mobile devices represent a significant weakness in endpoint security protections. It can be even more challenging to adequately address mobile vulnerabilities if your company has bring-your-own-device or telecommute programs in place. Multiple operating systems within a single environment can represent a security management nightmare, especially if brands are struggling to manually manage assets.
If your organization is one of many trying to protect vulnerabilities despite limited resources, there are solutions. Join us as we review how your peers are balancing advanced threat protection with limited security budgets.
Tools for Mitigating Advanced Threats on a Limited Budget
Is your organization ready to combat the recent spike in advanced persistent threat (APT) targeting? If you're anything like the majority of your peers, you may not be.
Cisco's 2016 Midyear Cybersecurity Report found a two-fold increase in ransomware attacks. Cisco's Vice President and Chief Architect Marty Roesch believes many companies simply don't have the infrastructure to protect against sophisticated, targeted APTs. Cisco's research also indicates ransomware and other advanced threats are developing new ways to evade detection, such as limited CPU utilization and avoiding command-and-control operations that can be noticed through log reviews.
Balancing threats without an increased budget isn't easy, but it's possible. Here's how.
1. Avoid Security Product Sprawl
The concept of "sprawl" is familiar throughout the IT realm. IT pros know the challenges of trying to scale and automate management to a rapidly-increasing number of servers, mobile devices, internet of things (IoT) devices, and other technologies that have grown at a meteoric rate.
However, security product sprawl is also a recurrent theme, and it may not be beneficial to your budget or defense mechanisms. The average enterprise is currently using 75 distinct security tools, which raises a host of questions. Who is managing all of these tools? Who is sorting through these tools' alerts? How much budget do 75 unique software licenses eat, and what's the hard return on investment?
Massive or even below-average security product sprawl has the potential to delay incident detection as companies simply struggle to keep up with alerts. In addition, poor integration of decentralized security products can lead to gaps in knowledge, delayed or absent notifications, or other issues.
Choosing fewer products with better capabilities isn't just cheaper, it's smarter. Evaluating your security products portfolio to identify software that doesn't add value or play well with other tools can reveal room for smarter expenditures. Not only is a single, smarter tool cheaper, but it's also safer.
2. Prioritize Vulnerabilities
In 2015, the top 10 known vulnerabilities accounted for 85% of security incidents with data loss. The message from this is that while it's often not possible to "do it all," doing the bare minimum methodically and consistently can significantly decrease your risks.
Developing a systemic, policy-based approach to vulnerability assessment can allow your organization to identify and close massive gaps on a tight budget. While specific processes can vary, a high-level security assessment process will often include the following steps:
- Define scope
- Select an assessment frequency
- Update network documentation
- Analyze systems
- Test and validate vulnerabilities
- Review findings
- Decide to mitigate or accept risks
- Implement necessary changes
In an average network, there can be hundreds of security alerts generated in the course of a single day, ranging from false positives to potential threats. Purchasing tools with built-in intelligence to inform you when you've moved out of compliance or suffered negative changes to critical system files can automate daily assessment processes.
3. Invest in Compliance
Some large-scale research of organizations that suffered a data breach across multiple industries concluded that 100% were non-compliant at the time of their breaches. In a statement on a three-year study, Verizon reports that 80% of organizations fail interim compliance assessments.
Is mere compliance with PCI-DSS and other regulatory requirements enough? Many security analysts believe that exceeding compliance requirements is much smarter than simply meeting them. There are weaknesses in regulatory requirements, including specifications for critical system file scanning on only a once-per-week basis.
However, making it a priority to maintain PCI compliance 24/7/365 is certainly a step in the right direction for brands that are strapped for security resources. It's also cheaper than the alternative. While total investments towards full compliance can start at $10,000 annually, some high-profile data breaches have cost up to $500 million.
Focus on tools that make meeting regulatory requirements easy through automated real-time alerts that inform you when you move out of compliance. This can enable resource-strapped security teams to avoid long periods of non-compliance and resultant risks as well as the potential for costly fines.
To learn more, we recommend the resource How Much Does PCI Compliance Cost? 9 Factors to Consider.
4. Focus on Infrastructure-Wide Detection
In addition to avoiding sprawl, security pros should focus on the acquisition of durable program "workhorses," or tools with the capacity to enable infrastructure-wide detection. As CSO's George V. Hulme jokes, the key is to "avoid the shiny," or products that won't provide an impact equal to their cost. With a judicious selection of the right products, you can maximize your budget and protect against threats.
When it comes to selecting file integrity monitoring solutions for advanced threat detection, it may be helpful to include the following in your product evaluation process:
- Ease-of-Use: Will you need to dedicate significant time and budget to creating internal subject matter experts to derive value from the product?
- Network Coverage: Can the tool monitor all components of your infrastructure and endpoints, including servers, network devices, databases, Active Directory/LDAP, VMware, critical system files, mobile devices, and point-of-sale (POS) systems?
- Log Quality: Will the tool generate comprehensive, human-readable logs with sufficient metadata, or does it require a third-party add-on to yield insights?
- Features: Can you immediately unlock centralized control, multi-platform support, advanced automation, real-time notifications, and detection of existing issues as soon as it's implemented?
- OS Compatibility: It's important to ensure your solution will provide coverage for all operating systems (OS), including Windows, Unix, Linux, and Mac OS.
- Inherent Security: To mitigate insider threats, your tool should not permit the "turning off" or modification of logs by any administrative user. In addition, all databases and data transmissions should be encrypted.
- Built-in Intelligence: To avoid alert fatigue or the possibility of dismissing critical changes, a tool with built-in intelligence can distinguish accurately between positive, neutral, and negative changes.
Smart, Affordable Tools for Enterprise-Wide Security Protection
It's certainly possible to significantly improve your protection against advanced threats on a limited budget. For many organizations, a key may be a smarter approach to security product acquisition. By avoiding product sprawl, products with inherent security flaws, or tools with a steep learning curve, you can achieve better network oversight while lowering overall spending.
CimTrak is trusted by leading organizations including NASA, Nikon, and the Chicago Stock Exchange. Cimtrak offers affordable ease of use, full network coverage, and best-of-class real-time insights. It's also the only file integrity monitoring solution to offer full remediation of unwanted changes directly from the management console, so you can act fast when seconds matter. For a complimentary product demo, click here.
September 8, 2016