Cyber Security in the IoE Era
Pravin Srinivasan, Lead, Security Sales, Cisco India and SAARC
The article was published in the Financial Express
The Internet is now connecting people and things at a breathtaking pace and bringing together information from previously unconnected sources; it is promising expanded business capabilities, a richer user-experience and hence unprecedented economic opportunities. Over the next decade, this network of physical objects accessed through the Internet- the “Internet of Things”, will bring billions of data-generating devices online and connect this vast stream of data with people, processes and other devices. Described as the “Internet of Everything “(IoE), this will help create a connected world that can intelligently and intuitively respond to what people need and want.
However, the capability for businesses to capture the value of the rapidly evolving IoE hinges on making the most of their IT infrastructure to leverage five key technology trends: cloud, mobile, social collaboration, distributed data and security. As businesses invest in these new technologies CIOs are tasked to cut overall costs and rationalize the different mandates to enable IoE. They are challenged to develop new business models that take advantage of this emerging technology environment and manage the associated cyber risks.
It is critical that businesses develop capabilities to analyse and understand weaknesses within the security landscape, create awareness—about the entire attack continuum—before, during, and after an attack—and adopt security solutions that operate everywhere a threat can manifest itself. This is because the cyber threat landscape today has grown in leaps and bounds. The potential ‘attack surface is much bigger today and cyber- crimes are not only sophisticated but are also well-funded, capable of causing major business disruption.
The evolved threat landscape
According to the Cisco 2014 Annual Security Report, the average cost of a security breach has increased to 5.4 million dollars in 2014, up from 4.5 million dollars last year, threat alerts grew 14 percent year over year and malicious exploits are gaining access to web hosting servers, name servers, and data centers. More than 90 percent of websites are vulnerable to hackers as against a mere 8.3 percent websites that are protected. In fact 100% of corporate networks surveyed showed signs of malicious traffic. The main targets of attacks were company websites while social media, phishing, and email spam were prime attack vectors. A case in point is the May 2014 report from eBay confirming that its site was hacked and users' passwords were compromised although there was no evidence any financial information was accessed.
A report by Arbor Networks reveals that the year 2013 India witnessed a huge rise in attacks on the banking and financial services sector (136%), and government establishments (126%), over the previous year. The second half of 2013 saw increased attacks on Indian websites, the most vulnerable being those of government organizations, banking and finance, oil and gas, and emergency services, according to a report by the Indian Computer Emergency Response Team (CERT-In).
Global concerns about India's internet security practices rose after June 25, when hackers broke into the National Informatics Centre (NIC), which runs e-mails of all central government officials as well as websites of various ministries and accessed information on its root directory that hosts the most sensitive data.
Holistic security is the need of the hour
Given the above, businesses must transform at a fundamental level to ensure they take the maximum advantage of the shift to IoE. Considering that the number of attacks has grown at an unprecedented pace, security solutions need to take a visibility-driven, threat-focused and platform-based approach, only then will they have a security posture that aligns with changing business models and attack vectors. Such solutions will continuously protect networks across a dynamic threat landscape, reduce complexity and fragmentation of security solutions and enable business to support new technologies.
Solutions that can provide full contextual awareness of users, mobile devices and apps and provide users with dashboards and drill-down reports of discovered hosts, suspect applications, threats, and indicators of compromise for comprehensive visibility will be sought after. Using such advanced security platforms will dramatically expand the addressable area of attack and protect against the full spectrum of attacks, known and unknown.
Opportunity and way forward
The addressable security market opportunity in Asia Pacific today is worth more than $2billion. While the firewall is still the largest piece of the pie, the fact that security budgets are on the rise across sectors (be it Government, financial services or ITS) means that partners, vendors and solution providers have a part to play in providing a broad portfolio of integrated solutions that deliver visibility and continuous advanced threat protection across the entire attack continuum. In countries like India it is estimated that IT spending has gone up from 1-2% of revenues a few years ago to as much as 5-10% in some cases.
Added to this, the government is investing heavily into e-governance services and smart city projects all of which imply that the demand for a broad portfolio of solutions will increase. From an organization perspective the need to facilitate quick, simple, smart, intelligent and fully secure connections as data grows will prompt the adoption of integrated security solutions that help manage the associated cyber risks.
Organizations must relook at the way they have built security services in the past and re-evaluate the security policies they need to invest in the future if they have to take advantage of the new business opportunities:
- Clearly devising a robust security strategy and reforming dated policies is the first area that CIOs and CISOs need to evaluate - a dynamic strategy that is equipped to deal with the most modern risks.
- Investments in secure infrastructure to address the challenges that trends like BYOD, IoT and mobility are another aspect that cannot be ignored. Having a framework that ticks all the right boxes is imperative. The key is to keep evolving. With an increasingly sophisticated threat landscape, it is vital to ensure that the solutions don’t stagnate when the risks multiply.
- Lastly, every organization must be prepared. The possibility of an attack cannot be ignored. Hence, it is always advisable to have a contingency plan that can be put into effect as soon as there is a strike instead of going into a disorderly crisis mode.
New business models, for example Security-as-a-Service (SecaaS) delivered via the Cloud, pave the way for enterprises to avail the services of experts while keeping operational costs under control and access security services that are robust, reliable, scalable and cost effective. At the end of the day, in order to succeed in an internet-based environment, organizations must believe that cyber security is no longer technology but a business process.