Like beauty, the perception of threat may be in the eye of the beholder. At least, that appears to be one way to summarize the conclusions of a new global survey by The Economist Intelligence Unit (EIU), sponsored by VMware. The survey found a systematic disconnect on the significance of cyber security between C-suite executives (CEOs, COOs, and CFOs) and senior technology leaders (CIOs and CISOs).
The C-suite tends to focus on the strategic implications of a cyber attack, and specifically on the impact it may have on the firm’s reputation or brand. The security executives see cyber threats through a very different and far more tactical lens: their focus, as you might expect, tends to be on protecting specific corporate assets, such as customer data, regulated information, corporate apps, and so on.
Three for the Money: Cyber Threats and the Corporate Boardroom
Despite the differences between the two sets of corporate leaders, they do share one significant area of agreement, and that is on the origins of future threats. Both segments believe that new technologies pose the greatest threat to their organizations. Both C-suite and security leaders agree that the top three threats come from cloud computing, Bring Your Own Device (BYOD) policies, and the unknown threats, malicious or inadvertent, that these new technologies help make possible.
Data Breaches, Data Losses: The Dark Side of the Cloud
Both sets of executives share the belief that cloud computing poses the greatest risk to their firms. More than one-third consider their firm’s cloud architecture their greatest single point of vulnerability to cyber attacks. Since the survey finds that C-suite executives also consider theft of customer data to be the threat that can do their firms the most harm, this should come as no surprise.
Scarcely a week goes by without news of another massive data breach. In the past few years, sophisticated malware programs were used to infiltrate the clouds of both retail and online giants—and the IRS. Each attack exploited another vulnerability in cloud architecture. In one case, the malware entered via the company’s POS system; in another, through a hole in the company’s access identification system; and in yet another, through the company’s unencrypted email system.
In each case, the results were high profile and dramatic. In one, more than 100 million credit cards and email accounts were hacked; in another, 70 million credit cards; and in the IRS attack, at least 100,000 social security numbers.
Given the widespread publicity it receives in the aftermath of massive data breaches like these, it is no wonder that cloud computing is considered the number one threat. But that perception is enhanced, of course, by the fear of the unknown, which any future technology provokes at first. Cloud computing is still a nebulous concept to grasp, as privacy and regulatory issues arising with data sovereignty make clear. In fact, a recent study noted that fully two-thirds of corporate firms had no idea where, or even in which country, the cloud storing their digital data was located.
BYOD: Consumerization of IT vs. Corporate Security
Despite widespread adoption, BYOD is still a source of fear for both sets of boardroom executives because it adds a constant asymmetric security threat. The consumerization of IT has long since swept through the enterprise workplace. And in most organizations today, employees are the ones responsible for securing their own, non-corporate issued devices. That lack of corporate control creates widespread vulnerability to attack.
One avenue can be quite simply the employee’s own negligence: he or she inadvertently installs malware or shares corporate data over public networks. Because employees are constantly adding new apps to their devices and connecting to public Wi-Fi networks without proper security protocols, mobile phones and tablets are considered the weakest link when it comes to security, and the most prone to malicious attacks. In fact, one recent study revealed that 97 percent of employee devices contained privacy issues, and 75 percent lacked adequate data encryption. With figures like that, it’s no wonder BYOD sparks fear across the board room.
Last but Not Least: “The Ones We Don’t Know, We Don’t Know”
The last of the cyber threats on which the C-suite and security leaders all agree are those described in the survey as “threats that move faster than our defenses.” In other words, they fear the future threats that security defenses may anticipate but don’t fully understand. Or, as former Secretary of Defense Donald Rumsfeld once famously said, “ the unknown unknowns—the ones we don’t know we don’t know.”
Without the right security protocols, an employee or customer can unwittingly compromise an enterprise’s security. Then, of course, there’s the more obvious threat of a hacker who can intentionally introduce a virus or some other cyber threat for which the organization’s defenses are just not prepared.
The Stuxnet computer worm provides a great example of just this kind of intentional cyber attack. At a 2010 nuclear power conference in Europe, the conference hosts gave all of the attendees complimentary data sticks as part of a package of attendee room gifts. It is believed that the CIA, along with Israel’s security service, Mossad, planted the Stuxnet worm in a data stick that was intentionally left in the room of an Iranian nuclear scientist. Stuxnet was designed to infiltrate Microsoft Windows networks and systems. Once there, it targeted the industrial design software and thoroughly disabled the centrifuges critical to the operations of Iran’s leading nuclear enrichment plant. Tom Cruise couldn’t have done it better.
The Next Step: Bridging the Great Divide
C-suite and security executives agreeing on the top three cyber-security threats is a start toward bridging the great security divide. By bridging the divide between the C-suite and security leaders, organizations now have the opportunity to take a more strategic approach to cyber threats. With agreement on the top three threats, they also have the opportunity to take a new approach that respects and understands each side’s concerns, budgets, and corporate priorities: a new approach that will benefit both sides and result in better, more cost-effective, flexible, and comprehensive security solutions.
Stay tuned on Radius for tips on how to bridge this divide in your own organization and define a comprehensive security plan that addresses the concerns on both sides of the board room.
Read the full report from The Economist Intelligence Unit to learn more about the Top Three Threats to Cyber Security.