Back in December 2013, Steve Durbin, global vice-president of the Information Security Forum (ISF), outlined the top security threats for 2014, which The Marketing Id has paraphrased below:
- BYOD (Bring Your Own Device) trends in the workplace – As BYOD mobile devices proliferate in the workplace, businesses of all sizes will see further information security risks being exploited.
- Data privacy in the cloud – All organizations transferring information on individuals into the cloud must know whether it is personally identifiable information (PII) and therefore needs adequate protection.
- Reputational damage – Since attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous, an organization’s reputation is at more risk.
- Privacy and regulation – Organizations need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to privacy breaches.
- Cyber crime – Cyber space is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks.
- The Internet of things (IoT) – The rise of objects that connect themselves to the Internet is causing a surge of new opportunities for data gathering, predictive analytics and IT automation. As IoT escalates, companies must continue to build security through communication and interoperability.
While threats 1 and 6 have not yet had a major visible or publicized impact in the commercial B2B or B2C space, threats 2 through 5 in part or combined together have already caused the CEO of Target to be fired. Breaches to cybersecurity, one of the key components in The Marketing Id’s definition of the E=MC5 social enterprise, are turning out to be a serious and potentially catastrophic threat to the global Internet-based business ecosystem.
In fact in its May 2014 announcement, the Justice Department said it had indicted “five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries” thus affirming that state-sponsored cybersecurity breaches had crossed a critical threshold in our nation’s economic and technological landscape.
In his May 28, 2014 interview with NBC Nightly News anchor, Brian Williams, America’s most famous fugitive, Edward Snowden, said, “The definition of a security state is one that prioritizes security over all other considerations.” It was ironical coming from a man, who as a contractor to the NSA – arguably the world’s premier security organization – caused it to appear instead like a very “Non Secure Agency” when he stole and took off with millions of its classified documents in May 2013.
So it’s only fair to ask, “If our nation’s top security agency can have its network breached by an insider, who can then access and download millions of classified documents without raising any undue alarms, then what expectations should private companies have about cybersecurity as they conduct their daily business over a very public Internet?”
It’s no wonder that Ted Schlein, a general partner with the venture capitalist firm of Kleiner Perkins Caufield & Byers, made a Rumsfeld-like observation in his May 31, 2014 article, “The Five Tough Truths Of Cybersecurity Software,” about the state of cybersecurity in the business world today. It was former Defense Secretary Donald Rumsfeld, who gave us the concept of “known knowns” and “known unknowns” – and Mr. Schlein noted accordingly in his article that there are “two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.”
So Mr. Schlein seemed to suggest that every business enterprise is more or less dealing with that most sensitive of C’s – cybersecurity – either as a known known or as a known unknown? In his article, Mr. Schlein offered this humbling fact, “The game is no longer about prevention; it’s about detection. The average length of time it takes for an advanced persistent threat to be detected on a corporate network is now an alarming 229 days.” Mr. Schlein went on to lament:
“Rather than simply erecting thicker walls to fend off intruders, which becomes increasingly impractical in highly distributed cloud-based architectures, we need to encrypt the data that attackers want. You need to encrypt data all the way to the browser, and the browser itself has to be 100 percent authenticated. But you have to hide the complexity. The whole thing needs to be seamless.”
Google, which has been at the forefront of technological innovation, announced on June 3, 2014, it would start providing end-to-end encryption for its Gmail service via an extension to its Chrome browser. This is just a small step at the start of a long and winding road towards cybersecurity nirvana as BYOD, HTML5, IoT and PII issues have not really begun to make a significant dent into the E=MC5 enterprise. Nonetheless, a cloud-based network is only as secure as its weakest link, which today randomly pops up largely at its fuzzy edge – where unknown devices constantly attempt to gain access to a targeted network.
If an unknown edge device (a.k.a. an advanced persistent threat or APT) can be rapidly detected – Mr. Schlein says “We need to get that down to 24 hours — or one hour” – the cybersecurity battle is half won. The challenge is then going to be in winning the other half of the battle, which is to rapidly contain potential damage caused by an unknown edge device or APT that might have compromised an E=MC5 enterprise’s network. Meanwhile, cybersecurity efforts in the B2X space continue largely as individual, asynchronous and reactionary efforts. The corporate world needs to come together (yes, through collaboration and communication) and institute preemptive measures akin to a “war on cyber terror” — as the future of business depends on how securely we conduct the business of the future!