It’s that time of year when various articles and surveys appear on the state of the technology industry. It should come as no surprise that the topic of cyber security and, in particular, data security feature prominently. With threats showing no signs of slowing down in 2019, it’s also time we took a closer look at the role IT Security vs Information Security should play in combating threats.
2018 Cybersecurity in Review
IDG recently released its 2018 U.S. State of Cybercrime Survey and, not surprisingly, 2018 has seen an increase in cybersecurity threats over 2017. IT spending on solutions to combat them are also on the increase and the financial penalties suffered by those falling victim to breaches are also getting bigger.
It was a little disappointing to see that most of the commentary stemming from this publication has focused on one thing – beefing up external facing protection. It’s certainly true that the largest percentage of cybersecurity threats originate from external parties, but a significant percentage are as a result of internal threats. The major focus on external threats is where potential conflict between IT Security and Information Security can occur – particularly when we throw in internal users’ desire to freely collaborate when, where and how they like.
Where Do Insider Threats Rate on the Risk Scale?
Accidental mishandling and malicious insiders together account for around 50% of data breaches. The former type of breach vector should be of concern for anyone worried about GDPR compliance as a breach due to mishandling of sensitive data would come under intense scrutiny under those regulations. Nordstrom recently suffered from an insider incident although it was sensitive employee data that was exposed due mishandling by a contractor as opposed to a vast amounts of customer data.
If we look a little deeper into the breaches that are instigated by external parties, we find that insiders often play a significant role in these incidents too. A typical attacker’s strategy is to land and expand to find weak points of infrastructure. In a huge number of cases they successfully found the hackers jackpot – user or system credentials that will give them access to the most sensitive data. Therefore, a key strategy in the fight against external attackers is to adequately protect against threats from inside as well as outside.
Encouragingly the IDG report does note that IT spending on tools to discover breaches faster is on the rise. Tools with capabilities for detecting unusual user file downloads based on volume of files or time of access would certainly help to detect and possibly stop accidental mishandling, malicious activity or an external party impersonating a legitimate user.
Information Security versus IT Security
While it is good to see that organizations are recognizing that they need to invest in addressing internal threats there is still some concern that the money will not be spent in the right place or with the appropriate guidance. This is where the muddle between Information Security and IT security comes in.
On the surface the priorities of both often seem aligned to the point that IT often has responsibility for Information Security. However, in the collaborative world in which we live the subtle differences between the two functions can result in significant conflicting goals and put sensitive data at risk. When IT carries this function, the focus is often skewed towards IT departmental views as opposed to the organization-wide view that information security should have.
A recent article in Dark Reading summed up why the different perspectives result in different priorities, “IT priorities are adaptability, technical features, and efficiency; infosec priorities include confidentiality, integrity, and availability.”
Aside from the different perspectives and requirements each of these functions bring to the data security table, this creates an even bigger issue. The verification of any information security measures is being carried out by the people who implemented them – an obvious conflict of interest.
Information Security and the Internal Focus
Apart from removing a potential conflict of interest there are other significant benefits to establishing a separate information security perspective for protecting your sensitive data. Given the way that our users collaborate today, we can no longer just think about either our data or our users as being static entities in both space and time. This is how a lot of traditional IT security strategies have regarded them. The reality of a world where it is advantages from a business perspective to allow users the freedom to openly collaborate with (almost) whomever they choose means that we must be much more dynamic with our protection strategy.
The pure IT perspective will focus on, among other things, access and device control which absolutely contribute greatly. However, when and how to apply those types of controls are best generated by rules devised by information security. Sometimes it might be perfectly acceptable to have full control of a document on a mobile device. At other times of day or for other content it may only be appropriate to have a secured view of a file. Content and context are essential to modern information security strategies.
Data Loss Prevention (DLP) and Rights Management IT solutions are some of the technology enforcers in these scenarios. But the nuances of how they operate need to be aligned to the business needs that Information Security team often has a more “global” view of. Additionally, with the likeness that a breach is extremely likely to happen to you at some point you have two choices: rely on swift detection and a good response plan or take advantage of how the information security strategies can mitigate the impact of a breach.
By adopting solutions that are content and context aware you can ensure that if a breach occurs the restrictions that are in place to protect users from themselves will also prevent someone impersonating a legitimate user from absconding with GBs or TBs of sensitive data. Equally such controls will mitigate the impact of a malicious insider trying to steal data.
Time to Think Information in Conjunction with IT Security
The current cybersecurity threat landscape from external attackers, malicious employees and careless or accident–prone users presents an interesting challenge for organizations. 2019 could truly be a crossroads in the battle for protecting our most sensitive data. Organizations that recognize and give appropriate authority to an information security team and strategy that works in partnership with an IT security strategy will be in a greater position to both protect their sensitive data while also empowering their users to freely collaborate to better achieve their business goals.
There will undoubtedly be times when conflicting priorities arise but by having two distinct strategies business leaders will be able to make better informed decisions on the best route to take.