Security is not a black and white matter: there are vast shades of grey that exist in even the most well-thought out security architectures. APTs, zero-days, exploits, vulnerabilities, IoT threats, and the ever-present threat from an organization’s own users, all pose significant amounts of risk to your assets and the invaluable data stored on them.
Not that many years ago, security was seemingly much easier - park a stateful firewall between your users and the Internet, and your IT staff could focus on other tasks. With the explosion of connectivity options, both sanctioned and unsanctioned, the notion that the perimeter itself can even be defined is one that’s been relegated to a memory. Today’s perimeter is simply too fluid to adhere to that archaic network security model.
The damage that can be done when your security architecture is breached is well known. In the past years we have seen colossal breaches at many major corporations, with damages reaching hundreds of millions of dollars. The Ponemon Institute’s latest Cost of a Data Security Breach Study estimates that the average cost of a single data breach now exceeds over $4M USD, and each stolen record having a loss of $158 USD per record.
Understanding How Much Risk is Out There
As the lines between corporate and personal use have blurred… or in many cases have blended together entirely, it’s no simple task for organizations to adequately quantify their risk or exposure. Security teams are finding themselves with less and less true control over those assets, and more concerning, the data that is flowing through them.
A recent analysis of anonymized data extracted from Absolute’s Endpoint Data Discovery solution, conducted by the analysts at Info-Tech Research Group, shows that a whopping 27% of devices in the sample contained some amount of sensitive or personal information - including credit card numbers, Social Security Numbers, or personally-identifiable health and/or financial info!
But what is even more troubling to think about is that in many of these cases these devices didn’t have a single record of sensitive info on it… in some cases the number of records were in the thousands and tens of thousands. There were even a subset of devices with literally millions of records on them. At $158 per record, you don’t need a PhD in Math to understand that is an insane amount of risk!
Building Your Security House
If an organization can’t keep the data off of the devices, and that’s certainly looking like a new normal in today’s distributed workplace, then what can it do?
Info-Tech has built an information security framework which highlights the key technology and governance layers that should be deployed in a structured defence model. The framework itself looks similar to a house - and much like your home, the assets inside the house get the largest amount of protection.
Your doors and windows are sealed with encryption and anti-intrusion measures, the multiple locks on the door require various authentication factors, and the “camera” system watches for any signs of incidents or breaches.
And while all of that is important, any engineer worth his or her salt will tell you that the actual house itself is only as strong as the foundation on which it was built. Your security house can be strengthened significantly by integrating a security solution that resides below all of your other security layers. That foundational layer should be embedded at the firmware level.
Where does that foundation fit within your security architecture? There are several benefits that differentiate this embedded security tool from the more traditional (and easily evaded) installed security tool model:
- An embedded solution supports the reinstallation of its agent if disruption or corruption occurs;
- An embedded solution also enables other tools and technologies to be automatically reinstalled;
- It provides a significant level of remote administration and control even if the device is compromised; and
- It can provide an additional amount of active alerting, reporting, and analytics.
Learning More About the Security House Model
Elliot Lewis is Vice-President of Info-Tech Research Group’s Security, Risk, and Compliance practise. His white paper that goes into much greater detail about this innovative new security model is available to download here (quick registration required). Take a few moments to get a copy and understand how an embedded security strategy can help bolster and improve your existing security technologies.
Elliot has over 25 years of executive management experience, most recently as the Chief Security Architect at the office of the CTO at Dell. Elliot also worked as the Director of Strategic Services, Security, and Identity at Cisco Systems, was CISO at Merrill Lynch, and former Senior Security Architect, Security Center of Excellence for Microsoft.