It seems like you can’t turn on the news these days without hearing about someone’s network security being compromised. Even Forbes.com now keeps its audience up-to-date on high-profile hacking cases in its regular Data Breach Bulletin. In early September alone, Home Depot and Dairy Queen may have had their credit card data compromised, Chase Bank may have been hit by Russian hackers, and the news of celebrities’ private images being stolen in an iCloud hack reminded us all of the truly invasive nature of a security breach.
“[It’s because of] the number of connected devices that people are using and the things that they are doing with them,” said Tash Hepting, a Silicon Valley IT security expert offering a succinct but comprehensive explanation for all the headlines related to data breaches and security needs. “The number of devices is expanding incredibly rapidly, and people aren’t thinking about how connected they are.”
Constant Connection Means Security Risks
CompTIA’s 11th Annual Information Security Trends study shows data breaches cropping up with growing frequency, and recovery taking longer than ever before. In the context of individual lives, this constantly connected world can mean anything from being inconvenienced to being extorted. For businesses, it can mean massive losses in profits and legal nightmares when proper security protocols aren’t taken.
According to data cited in its “Security Trends” study, McAfee Labs indexed more than 18 million new types of malware in 2013. Simultaneously, the Ponemon Institute’s fourth annual “Cost of Cybercrime Study” reports cybercrime costs have risen 78 percent in the past four years — and the time it takes to recover from cyber-attacks has increased by 130 percent.
“It is clear to see why companies view security as a top priority,” according to the Security Trends study. “However, it is less clear that companies are fully aware of which actions to take in order to build an appropriate security posture for a new era of IT.”
SMBs Slow to Respond to Emerging Threats
Providing IT solutions for clients in this new era poses new demands in technology and otherwise. Meeting the requirements of regulatory compliance, for example, is once again important at the enterprise level, which now falls under the purview of small- to medium-sized businesses (SMBs).
Russ Hensley of Hensley-Elam has seen the industry change tremendously since he co-founded the solution provider company in 1998. One of the most formidable challenges he faces is educating clients on what steps they can take to adequately secure their networks.
“[Clients] see the Targets, they see Zappos, they see everyone’s getting hacked, then they trust their IT guy — that he knows what they need,” said Hensley. “But then the IT at the company may be struggling to understand what they need to be doing. I think that’s a real challenge."
According to the Security Trends study, businesses, especially SMBs, appear to be lagging in their understanding of emerging threats. “Small businesses consistently reported a lower level of concern or less belief that threats are more critical today,” the report reads.
It goes on: “82 percent view their current level of security as completely satisfactory or mostly satisfactory. In theory, companies may not exhibit concern over threats because they have taken the necessary steps for protection. However … companies may be assuming a satisfactory level of security without truly performing due diligence to understand their exposure.”
For his part, Hensley stresses the importance of due diligence to his clients and tries to find relatable ways to talk to customers about the value of data — a security discussion that helps him drive the point home.
“When I sit down and start having conversations with businesses about what their identity data is worth, that’s when they first have a conscious thought. ‘Oh, there’s another asset there,’” said Hensley. “They look at an asset as, ‘What’s the business expense if the building burns down?’”
Instead, he said, you’ve got to help them calculate their assets related to data; for example, 7,000 identities worth $150 a head. Tell clients they’ve got $1.5 million in identity data “and then they perk up a little,” Hensley said. “Then they understand risk.”
IT Skills Shortage Affecting Security Needs
Of course, explaining the need for security is just one side of the coin. Hiring IT staff capable of understanding, assessing and clearly communicating these risks continues to be a challenge. “The continued focus on information security has meant that it is one of the unique fields where demand exceeds supply,” according to the Security Trends study.
“Companies are at less than optimal levels when it comes to security,” according to the study. “Twelve percent of companies feel that their security team … is significantly deficient in skill level and another 21 percent feel that their security team is moderately deficient.”
In order to find credentialed, reliable and high-level IT staff with the people skills to communicate needs to corporate clients, Hensley has had to look as far away as Dayton, Ohio, for qualified candidates. That’s more than a two-hour drive from the company’s Lexington, Kentucky, headquarters.
Hepting has likewise faced challenges hiring qualified IT candidates in numerous roles throughout his career, but warns businesses against the temptation of going rogue with IT solutions. “It may seem like it’s cost-effective to go and buy an access point off the shelf at your local electronics store for your business, but you’re doing — it’s not even an analysis,” said Hepting. “You’re rolling the dice on whether or not you’re going to have an incident.”
The security threats to businesses of all sizes are severe and ever-growing, and the shortage of qualified security talent poses big concerns, especially for small businesses. But perhaps there is a bright side to the high-profile data breaches: They’re so prominent that they’re making businesses aware of what’s at stake and highlighting the importance of doing IT security correctly.
“[Security] is in everybody’s consciousness right now, and I think that’s the best thing,” said Hensley. “Security starts with knowing you’re not secure.”
To improve either your IT security skills or those of your entire staff, click here to get started with CompTIA Security+ today.Matthew Stern is a freelance writer based in Chicago.