Cyber Insecurity In 2016: We Are Not Ready

Tech security remains a very real worry as we head into the new year.
Posted January 21, 2016
By

Rob Enderle


Recently I moderated a panel for Intel and their Business Skylake launch.  This new platform is unique because Microsoft and Intel were in lockstep when it came to hardening it against internal and external threats. 

But the panel went well beyond client security and we spoke about staffing, the nature of the threat, how companies were hiding from their exposures, and how the US government was bleeding security talent.  We also spoke about the fact that employees who are properly qualified can pretty much name their own salaries at the moment. And given the staffing shortage is likely to continue, if you kid wants to know what to study that is both exciting and lucrative you now have an answer. 

Let’s talk about how the Intel Skylake For Business Security Panel pretty much scared me half to death. 

Most Companies Think They Are More Secure Than They Are

Overall consensus was that most if not all companies are compromised, either through active attacks or by now dormant malware waiting for a trigger to do what they were designed to do.  Many of these firms set their security readiness on how much money they have spent and not on real world tests on the adequacy of their protection. 

Most firms implement a host of tools that weren’t designed to work together and expect that somehow, nearly magically, in the face of a major breach attempt they will suddenly function as a solution even though that has virtually never been tested.   New CSOs are generally hired to both increase security and reduce budget, which suggests that the results look good on paper but fall far short of what is promised. 

In short, much of the money being spent is focused on looking secure, not being secure, and when a breach occurs the resulting audit will likely find, that the executive team was negligent. 

Passwords Don’t Work

Simply by eliminating passwords and implementing a solid dual factor authentication system, up to 50% of a firm’s existing exposures could be mitigated.   There is a generally held belief that even firms that have a dual factor authentication system largely don’t use it because it aggravates users.  There is a massive push by experienced CSOs to eliminate passwords and move to dual factor authentication system as a result.   You likely can tell the experienced CSOs from the inexperienced CSOs simply be looking to see whether they are driving an effort like this.  

The US Government Is Bleeding Security Experts

If it hasn’t happened already the US will shortly lose its ability to mitigate or respond to cyber threats.  This is because the shortage of cyber security experts is driving massive compensation programs that the public sector can’t match.  It is likely any security expert who doesn’t currently have a job and is looking for one likely has issues with their credentials or work history that make them ineligible for a job like this.  There is so much demand for security skills that anyone that can do the job can almost name their salary and benefits package.  

A Lot Of Companies Are About To Lose A Massive Amount Of Business

The US government procurement process has been altered to so that anyone doing business with it must shortly comply with a massively invasive security specification.  This specification includes any of their suppliers as well.  

Most firms are not prepared to meet this requirement and any business they have that directly or indirectly flows to the government will fail as a result.  Rather than forcing through a law with security requirements, they made it a part of the procurement rules that pass down through suppliers.  Pretty sneaky, but it is clear most firms that don’t do direct business with the government haven’t thought through the implications of this.  Granted, enforcement will be nasty but getting caught as non-compliant as a primary supplier could be a going out of business event, so expect some panic when folks think this through. 

Wrapping Up: Microsoft and Intel Got It Right

While the solutions Intel presented related at times to Microsoft’s Windows 10 platform as the reason for the presentation, they paled in the face of the threat landscape, and the panel praised Intel and Microsoft for the progress they had made.  They felt the moves were a solid step in the right direction and would be a critical part of a far more comprehensive approach to keeping the enterprise safe. 

Even so I’m left the presentation thinking that an investment in a good solid bunker would be major part of an incredibly prudent strategic personal plan.  

Photo courtesy of Shutterstock.




Tags: Microsoft, Intel, Security Analytics, Security Free


0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.