An increasingly mobile workforce demanding anytime, anywhere access from any device to corporate systems and lines of business adopting cloud services increase the vulnerability of an enterprise network drastically.
To make matters worse, "over the past 8 or so years during the recession, there was an 80% decrease in the amount of funding for security technology amongst the venture capitalist community," said Kristin Lovejoy, the vice president of IT Risk and chief security officer at IBM. "There has been less innovation during this period to deal with [emerging threats such as hacktivism and advanced persistent threats (APTs)]. The APTs are what keeps me up at night."
So, as organizations strive to reduce costs and increase efficiencies, the risk of skipping over steps due to inadequate resources increases. "We estimate that between 80% and 90% of all sophisticated attacks could have been prevented through simple controls," said Lovejoy.
Simple answer
Despite worries about hacktivists and APTs, the reality is that "99.9% of the incidents involve the [end user] as the inadvertent actor," added Lovejoy. "The irony is that hardware and software are more secure than ever before. The problem is that the systems are now in the hands of the end users. You've got mobile devices and cloud images that are being made available to more people. These are being used by cybercriminals to get inside the organization."
IBM is certainly a giant target with an attack surface spanning "250,000 applications running on about 800,000 IT assets; 250,000 network assets and more than 2 million laptops and another several hundred thousand mobile devices," said Lovejoy. "We change about 4 million user names and passwords daily and expire about 40,000 patches a day."
Basic controls
To help senior executives at IBM understand what is required to balance security or business transformation risks and business innovation, Lovejoy created a list of 10 basic but essential controls for providing in-depth security.