Cybersecurity Is Not Just About Protection, but Detection Too
Following what analysts have called a "disastrous" year for cybersecurity, 43 percent of top security decision makers at major retail firms have said that they plan to increase security budgets by up to 10 percent in 2015, according to a recent report from Forrester Research. Furthermore, Forrester predicts that in 2015, more than 60 percent of enterprises will discover breaches within their organization, but when breaches that remain undiscovered are taken into account, that number is closer to 80 percent.
To better prepare for potential threats, Forrester urges enterprises to pay attention to both external and internal threats. Though many organizations keep a close eye on hackers and other outside attackers, it pays to monitor suspicious behavior by employees as well. When it comes to external attacks, however, organizations must consider switching to more secure payment systems than traditional POS systems and credit card processing systems. New payment options such as the EMV standard, which incorporates both chip and pin technology into a payment card, as well as "contactless" payment systems, such as Apple Pay, may eliminate some of the risk, the report states. Target, for example, has already invested roughly $100 million in EMV following a massive data breach in 2014.
Security breaches can cause customers to lose trust in a company or brand, so Forrester also recommends making customer-facing assets a priority. "If your goal is to stay out of the headlines, prioritize two things," report coauthor Stephanie Balaouras says. "[First,] the customer-facing assets that figure prominently in your firm's business technology agenda, such as point-of-sale systems, and [second,] customer data, such as personally identifiable information about customers that the firm collects, uses, stores, and transmits."
One of the biggest mistakes an organization can make is to overinvest in security protection while underinvesting in security detection. While it's commonly believed that perimeter-based security "is dead," the report points out, companies tend to spend heavily on firewalls and intrusion prevention system in order to prevent security breaches instead of spending on tools that can pinpoint attacks and contain them quickly. In the coming years, striking a balance between protection and detection will play a key role in company security, especially as the number of breach-related lawsuits—and their associated costs—rise.
The increasing number of lawsuits is also contributing to the growth of the cyberinsurance industry. According to Forrester, companies such as Home Depot and Target have already invested millions in cyberinsurance, and others are expected to follow in their footsteps. Still, Balaouras urges organizations to keep in mind that cyberinsurance may be a way to mitigate breach-related costs, but it typically wont cover all of them. "Target might have $100 million in cyberinsurance, but these policies will have deductibles, and it remains to be seen if every provider will actually pay out," she says, adding that Target's current security breach costs "already far exceed $100 million."