Priorities for the year ahead

After the breach: Rapid response

In this section:

Risk assessments: A risk assessment will help your organization set priorities for cybersecurity investments.

Automation tools: Organizations have a growing arsenal of tools to help mount strong defenses against known threats.

Awareness & training: The ultimate success of a security strategy rests with employees.

Bottom line: Defending against known threats requires attention to three core elements: risk assessment, tools, and training.

No doubt, organizations face a daunting set of challenges from known threats and the mainstreaming of cyberattack tools and methods. Overcoming these challenges requires attention to three core components: risk assessment, tools, and training.

Risk and vulnerability assessments

Whether a large multinational corporation or a medium-sized store chain, all organizations can benefit from adopting a two-phase methodology for assessing their risk:

Information gathering. Phase one sets the scope for the risk assessment and documents relevant systems, networks, and a variety of operational processes. This phase also spots possible threats and vulnerabilities.

Risk analysis. Phase two involves a control and impact analysis of the collected information to evaluate the likelihood of a breach. Organizations learn the overall risk of a cyberthreat attacking a given vulnerability within their system.

The outcome of the analysis depends on an organization’s size, industry, and goals. For example, some options for mitigating risk — such as preparing for a zero-day attack — may only make business sense for large banks or multinational corporations.

Aligning resources with weak spots

Your investments should align with identified weak spots. But cybersecurity investments involve more than preventive tools, of course. Organizations that make security a priority invest in a multilayered approach that encompasses:

Prevention. 89% of organizations in the AT&T survey will invest in intrusion detection and prevention initiatives over the next year.

Threat detection. More than 8 in 10 organizations are investing in tools for threat monitoring, threat analysis, and mitigation.

Incident response. 85% of organizations plan to continue or begin investing in an incident response program. But as was discussed in our previous Cybersecurity Insights report, simply having an incident response program isn’t adequate. Frequent testing is required to help your organization respond swiftly and effectively to a breach.

Cybersecurity insurance is another area for consideration. A robust 89% of survey respondents either have a cybersecurity insurance policy in place or plan to purchase one — a further hedge to help against the impact of both known and unknown threats. As risks grow in volume and scope, insurance premiums are expected to triple to $7.5 billion by the end of the decade, from around $2.5 billion today32 (see Cyberinsurance: A new frontier).

A growing emphasis on incident response

Do you have a cyberbreach response plan?

Do you have a cyberbreach response plan?
Profiling cyberattacks

Cyberinsurance: A new frontier

With breaches happening all too frequently, insurance policies specifically designed to cover cyberrisk have become more appealing. More than 50 insurance companies now offer cybercoverage, according to the Financial Services Roundtable33. But in an evolving market, no two policies are alike, and that can make buying cyberinsurance a somewhat difficult proposition.

In this new market, costs of a data breach can vary widely depending upon the type of data stolen, the industry, and company size. Emerging threats can also make it difficult to determine adequate coverage. Two years ago, few people had even heard of ransomware. It’s one of the fastest-growing categories of cybercrime, but few policies cover it.

There is no “one size fits all” policy. Prospective buyers should consider their industry, products and services, data risks and exposures, the quality of existing IT security, and revenues.

Other factors to consider before purchasing cyberinsurance include your organization’s vulnerability and potential losses, the cost of notifying compromised individuals, identity theft protection, regulatory penalties, loss of market value, brand damage, legal fees, technology fixes, and management time lost dealing with the problem.

Policy exclusions also can vary. For example, some insurers won’t pay for select legal fees or for damage to the organization caused by a state-sponsored attack.

Nearly all insurers require sound security practices from their policy holders. Failure to use strong access controls, encryption, password protection, and even formal employee education, among other measures, can result in a denial of coverage.

Organizations investment plans for the next 12 months show a mix of traditional defense, training and advanced tools.

Tools: A shift toward automation

A new generation of threat analytics tools is helping overwhelmed security analysts identify the most serious threats lurking amidst the alert noise. But their greatest strength may be their ability to counter those threats with little or no human intervention. More than half (56%) of survey respondents plan to increase their investment in next-generation tools such as threat analytics and machine learning technology over the next three years.

“We now can combat attackers by helping machines learn faster than attackers can invent.”

Chris Parsons
Vice President
Big Data Strategy & Business Development
AT&T

The application of big data analytics to threat identification and mitigation has quickly emerged as one of the more obvious uses of this technology. Not only are the volumes of cybersecurity data staggering, so are the time demands associated with them. Even a brief delay in identifying a threat can mean the difference between neutralizing an attack and falling victim to a breach.

Big data analytics takes the problem of too much data and turns it on its head — the more data these systems have to work with, the more effective they can be. Adding machine learning to the mix can increase insights further by teaching systems to identify new cyberthreats on their own and alert their human partners.

“We now can combat attackers by helping machines learn faster than attackers can invent,” says Chris Parsons, vice president for Big Data Strategy and Business Development at AT&T.

Awareness and training: Not one and done

Help protect your organization against the majority of cyberattacks. Conduct a risk assessment, pinpoint your weaknesses and know the likelihood of a successful attack anywhere in your organization.

Awareness and training: Not one and done

A simple click on an email link is all it takes to leave an entire company vulnerable to a devastating attack. By engendering a culture of cyberawareness and responsibility among employees, an organization can significantly strengthen its cybersecurity posture.

Not investing in cybersecurity awareness can have severe consequences:

  • Losses resulting from employee negligence are growing, with no slowdown in sight. More than 7,000 businesses in the U.S. suffered accumulated losses of around $740 million after their employees fell for email-based phishing scams between 2013 and 201534.
  • In 2016, cybercriminals modified an old phishing scam that targets company payroll departments, fooling them into providing W-2 tax forms containing Social Security numbers and other personally identifiable information35.
  • Employees continue to ignore warnings not to plug USB flash drives from unknown sources into their computers. When researchers from the trade association CompTIA ran an experiment leaving the storage devices in public locations in Chicago, Cleveland, San Francisco and Washington, D.C., about 20% of the people who found the flash drives plugged them into their own devices36.

A cyberaware company recognizes that employee education requires more than office posters and reminder emails. In the AT&T survey, 27% of organizations are planning new in-house training investments over the next 12 months. However, almost 10% have no budget set aside for security awareness training.

“Targeted education goes a long way in employee compliance with security policies,” says Sundhar Annamalai, executive director for Integrated Solutions at AT&T.

Employees need to understand that threats aren’t limited to phishing emails. They include phone calls from cybercriminals posing as help desk representatives; or free tablet offers to employees who register with work-related information; or unsecured or fraudulent Wi-Fi hotspots; or weak passwords used for personal and work login credentials. Training should expose employees to the broad spectrum of threats — along with tips on the role everyone plays in their mitigation.

Such tactics are scalable for any budget; campaigns can launch with a few short videos or an infographic. At a minimum, you want employees to leave with an appreciation of cybersecurity basics: how cybercriminals can use social engineering to gain their trust and infiltrate your organization.

“Targeted education goes a long way in employee compliance with security policies.”

Sundhar Annamalai
Executive Director
Integrated Solutions
AT&T