Cybersecurity can cause organizational migraines. In 2016, breaches costbusinesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018. Even Congress is acting more quickly to pass laws that will — hopefully — improve the situation.
Despite increased spending and innovation in the cybersecurity market, there is every indication that the situation will only worsen. The number of unmanaged devices being introduced onto networks daily is increasing by orders of magnitude, with Gartner predicting there will be 20 billion in use by 2020. Traditional security solutions will not be effective in addressing these devices or in protecting them from hackers, which should be a red flag, as attacks on IoT devices were up 280% in the first part of 2017. In fact, Gartner anticipates a third of all attacks will target shadow IT and IoT by 2020.
This new threat landscape is changing the security game. Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.
The False Panacea of Security Training
There is much debate over the effectiveness of security and awareness training, centered on competing beliefs that humans can either be the most effective or weakest links in security chains. It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best. This assertion is further substantiated when you consider recent reports put out by security providers like PhishMe showing that 80% of employees who’ve completed training are still susceptible to being phished.
It only took one click on a link that led to the download of malware strains like WannaCry and Petya to set off cascading, global cybersecurity events. This alone should be taken as absolute proof that humans will always represent the soft underbelly of corporate defenses.
Connectivity First, Security Second
Today, connected devices are being used by employees to drive bottom-line activity. Their utility and convenience are giving IoT devices a foothold in the enterprise — in corporate offices, hospitals, power plants, manufacturing facilities and more. We recently found that 82 percent of our enterprise customers have Amazon Echos in use, which are almost always in an executive’s office. These devices, designed to listen and transmit information, may lead to increased productivity, but they also introduce unquantifiable risks. Our own research recently demonstrated that the Amazon Echo is susceptible to airborne attacks. Amazon has patched the vulnerabilities, but this finding demonstrates how easily a compromised device can lead to the leak of confidential information.
Connected devices are proliferating at a rate IT departments and security teams can’t keep up with. They are manufactured with little oversight or regulatory control, and are all Wi-Fi- and Bluetooth-enabled; designed to to connect immediately. They are introduced into corporate environments by individual users who have no real security knowledge or expertise, which is a risk. Users may have productivity goals in mind, but there is simply no way you can rely on employees to use them within acceptable security guidelines. IoT training and awareness programs certainly will not do anything to help, so what’s the answer?
Reframing the Human-Security Relationship
It is time to relieve your people (employees, partners, customers, etc.) of the cybersecurity burden. It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success.
Removing the human risk means repositioning the way you think of the relationship between employees, connected devices, and overall corporate cyber defenses. You must accept that IoT and other security issues aren’t user interaction problems; they’re device and system interaction problems. The highly connected nature of IoT devices means that they’re constantly in communication, capable of spreading malware, and capable of leaping from system to system with no human interaction — all beyond the reach of current security solutions. Security threats are stacking up against your people at work: employees are still falling victim to automated phishing emails and organizations with ample security analysts simply can’t manage the volume of vulnerabilities present in new connected devices and software. And, new IoT attack vectors like BlueBorne and KRACK that work around humans to infect devices and networks are popping up faster than they can be addressed.
An Intelligent Cybersecurity System
To manage security today, your systems must be intelligent and able to work without human supervision, knowing when and how to take proactive or defensive action.
When it comes to connected devices, the massive numbers that will be in use in businesses make it impossible for people on their own, or for understaffed IT and security teams, to manually identify and stop risky activity. To identify devices and behavior patterns that represent a threat, your IoT security system must be intelligent enough to spot all connected devices and the vulnerabilities they introduce, approve and deny access to networks, and learn from constantly evolving conditions to become more effective over time.
Intelligent products learn patterns of what secure and insecure activity looks like on connected devices — something impossible to tell just by looking at a phone, speaker, or web camera. I’ve seen compromised tablets streaming video from a board room to an undisclosed location. The tablet showed no signs of compromise and this activity was not recognized by the traditional security solutions in place. Only by identifying its behavior and traffic patterns were we able to see the risk. An intelligent system would be able to identify such suspicious traffic behavior immediately.
Lastly, an intelligent system can take action. Once the system has learned how to identify suspicious behavior, it can immediately stop a device from being used for malicious purposes. For example, it could shut down a botnet attack entirely, preventing it from connecting to other devices, or limiting the damage it can do. Being able to control a connected device is the difference between one device being infected and your entire network getting taken over.
The same is true for security technologies designed to defend against other threats. Anti-phishing technologies that can’t identify and block attacks on their own are basically disasters waiting to happen. Manual patching processes are also of little value.
The New Reality
Attacks are coming at businesses from all angles and through all channels, with IoT creating a significantly larger attack surface. Executives are accountable for the performance, or rather, the lack of performance of security, and businesses will face a range of consequences, from brand damage to recovery costs and loss of customers in the face of breaches. The stakes are higher than ever to secure your systems and networks — and the new IoT reality complicates matters further. Solutions we’ve relied upon in the past, such as training employees, will not mitigate the massive security challenge companies are facing. The scope of IoT is far too complex for a traditional security teams to manage with legacy solutions. It’s time to remove people from the discussion and move towards a more intelligent, secure future.
Yevgeny Dibrov is CEO and Co-founder of Armis.