Look deeper into data to spot security threats

Leveraging analytics to find patterns and vulnerabilities

When it comes to IT infrastructure and networks, knowing when you have been or are being attacked is not enough. By then, your organization is already moving into damage control. Much of the value in analytics tools and techniques lies in their predictive capability. By pinpointing likely attack vectors, as well as identifying unsuccessful hacking attempts, analytics offer organizations greater understanding of what cyber invaders look like and how businesses can best protect themselves from malevolent forces online.

Shifting threats

Hackers are constantly evolving their strategies and developing new skills. They even form illicit, well organized networks to share information with each other. A cyberanalytics strategy gives your organization deeper insight on the ever-changing threats carried by different actors and risks by types of technology. It can help you get a clear view of what you need to do to protect yourself today, and a sightline toward the security targets of tomorrow. Of course, every cyberanalytics solution varies depending on your organization and industry.

It’s about time

Assessing your cybersecurity depends on your organization’s most urgent needs, both in terms of what needs to be protected and the timelines for doing so. Broadly speaking, there are three approaches to monitoring networks, namely:

The right solution for your organization depends on how much data there is, the activities with which that data is associated and its value to your organization and to hackers. And since it is likely that, eventually, all three approaches will be necessary, a phased-in approach is often valuable.

Key questions

Before deploying a cyberanalytics strategy, every organization must ask itself questions to understand existing threats and determine present and future needs. These include:

• Where does your data reside, and how easy is it for you to “see” that data now?
• What analytical tools do you have in place, and how well do they work?
• What additional types of data will your organization need to do business in the year ahead?
• What future organizational activities may require you to manage or analyze more data?

Seeking the right solution

Many vendors offer “analytics” solutions in name only. True analytics should spot patterns, predict the likelihood of future events and help an organization examine the entire lifecycle of information. Because analytics is applied to cloud, mobile and social applications, it is imperative to understand the unique challenges presented by analytics used in conjunction with those technologies. The specific demands of each industry also play a role. In our connected world, seemingly disjointed events in politics, economics and social media can merge to put your organization in the crosshairs of an attack. Deloitte can assist you in evaluating your company’s specific risks and, more importantly, building and implementing a knowledge-based solution that helps your organization be secure, vigilant and resilient.

Move securely with mobile

Connecting to the benefits, connecting to the solutions

Untethered devices — smartphones, tablets and wireless-enabled laptops — are radically altering all areas of business. As a Chief Information Officer (CIO) or Chief Information Security Officer (CISO), you know that mobility, quite literally, is everywhere. The payoffs for embracing mobile include increased productivity, expanded business opportunities and improved worker satisfaction. What you may not know is how many employees are making their own rules when it comes to mobility and creating potential security risks.

You can take it with you

Almost a quarter of employed Canadians use a personal wireless device to do their job — despite company policies forbidding the practice. Another 11% do so without knowing their employer’s stance.¹ No longer can IT leaders ask if employees should go, are going or want to go mobile. The critical question is how can you manage a mobile-enabled workforce to boost productivity without compromising security? Letting technology trends and individual preferences dictate your mobile strategy is not an option. Organizations must encourage compliance with responsive, sensible and simple policies. The alternative is waiting for employees to begin bypassing controls, leaving data vulnerable to loss or access by outside parties.

Solve the right problems

A comprehensive and robust security plan starts with you. Though security goals may be similar, every company has different needs. Asking workers to use corporate apps on personal devices raises different issues than, say, implementing a “bring your own device” approach. Starting considerations for you may include the following:

First steps

Maintaining a secure, vigilant and resilient mobile solution requires both policy and technical decisions. But there are ideas all organizations can consider to immediately boost mobile security. These include the following:

• Central mobile device management (MDM) — A variety of MDM solutions are available to accomplish everything from managing inventory to remote wiping of devices, so understanding your organization’s needs is critical.
• Avoid supporting jail-broken phones — Such devices open entry points for malware and are not worth the risk.
• Know what a mixed mobile environment means — More supported devices and platforms mean greater complexity for your security.

Moving forward

Mobile offers tremendous potential benefits. Moreover, there is no going back. A smart starting point is properly assessing your organization’s needs. Deloitte can help.

¹New Cisco Security Study Shows Canadian Businesses Not Prepared For Security Threats. Date accessed: March 16, 2015

Feel secure in the Cloud

Imagining the changes, challenges, and opportunities

‘Anytime, anywhere’ access to all data and applications is the promise and incredible appeal of cloud-based solutions. But it is critical to recognize that adopting cloud technology creates new security and privacy risks for organizations. Those risks extend to the professionals charged with maintaining resilient, reliable and secure information technology (IT) networks. Moreover, the particular challenges posed by moving to the cloud often mean traditional approaches will need to be modified or completely overhauled.

First questions

Within the rapidly evolving cloud, three high-profile areas of risk should be top of mind for Chief Information Officers (CIOs) or Chief Information Security Officers (CISOs), including:

Each of these issues present their own layers of risk and myriad considerations, from regulatory frameworks to governing security agreements with vendors, customers and other third-party relationships. By understanding the risks, you can begin to set up controls that let you monitor and ensure data security.

Critical considerations

Beyond simply being aware of where data lives and the damage leakage could cause, C-suite executives overseeing IT must consider control of that information once it’s in the cloud. Cloud providers may be registered in different legal jurisdiction than your own – and subject to different regulations. When your partners move their systems to the cloud, they are likely sending some of your data along with their own. How do you control that? And are cloud providers properly segregating your data on their servers?

Next steps

As with any undertaking, knowledge is power when it comes to embracing cloud-based technology. There are numerous factors with which every CIO/CISO must be familiar as the cloud grows in importance for their businesses and those of their partners. These include:

• Which parts of their business are already in the cloud, and where transitions are underway.
• The “crown jewels” of the organization – vital assets to be protected at all cost – as well as maps of information that might be at risk in any scenario.
• Current security tools and processes and how – or if – they can be repurposed or augmented for cloud-based operations.

A cloud discovery phase is a good place to start. But moving forward, organizations will have to dig deeper to determine everything from data management and policy enforcement to strategic business advantages the cloud can offer and planning enterprise-wide crisis response plans.

Cloud-based technology is vital and evolving rapidly. CIOs and CISOs who know where their organization stands, who understand what technology exists and who develop contingency plans will be best positioned to capitalize on the potential of the cloud while maintaining a secure, vigilant and resilient environment.

Ensuring social security

Strategies for organization-wide social media safety

Social media is a powerful tool in the brave new world of connecting with existing and potential consumers. Many organizations are already dependent on various social media platforms — Facebook, Twitter, LinkedIn, etc. — to extend their marketing reach and establish the bonds that turn networks into customers, and customers into brand ambassadors. But the convenience of instantly sharing information with a potential audience of millions brings with it inherent risks.

Trust issues

Sharing and trust are at the heart of social media’s power. But all stakeholders must recognize that a well-planned social media policy is required to help prevent organizations from unwittingly sharing sensitive information. Breaches can – and do – have disastrous implications for online and real-world operations. Hackers using false identities on social sites can befriend your employees to glean information that can be used in an attack. Even seemingly innocuous posts, for example, employees on a career site like LinkedIn discussing software they use at work, can reveal potentially valuable information about your organization’s online security measures. Diligence is the key to prevent sharing too much.

Who, what, where and how?

Opting out of social media is clearly not an option for any organization. If you’re not online, at best you’re missing opportunities. At worst, you simply don’t exist. Safely navigating social media requires all organizations to establish guidelines for posting online. These must address:

Understanding social-based online threats is more than just having guidelines and enforcing them. It requires knowing what “crown jewels” your organization needs to protect, the motivations of your potential attackers, the fallout if specific types of breaches within your network do occur and tracking emerging vulnerabilities.

Staying safe

Social media security will not happen by accident and the risks are real, but thorough planning will help minimize risk. Critical steps your organization must take include:

• Determining what information can be shared and which could expose vulnerabilities to hackers.
• Increasing employee awareness around how attacks might be perpetrated via work or personal social accounts and devices.
• Embedding data-loss prevention practices when operating social media accounts.
• Monitoring online social media chatter about your brand and industry.
• Enacting internal controls for accessing sensitive data and managing social media accounts.
• Understanding the impact of social media activity by affiliated third parties and postings by the public on your sites and social media feeds.
• Ensuring you have an inventory of strong passwords for your social media accounts.
• Establishing a crisis management plan and running simulations to ready your response to various scenarios.

Further complexity is added to the social media equation simply because all of the above steps require active management both online, and within the ever-more popular mobile platforms.

Moving forward

Remember, once something is online, it is there forever. Information that’s innocuous today could create risk in the future. Understanding how to keep your organization safe in this reality is a critical and complex task. Deloitte can help you be more secure, vigilant and resilient.