While it’s true that retail data security responsibility often does not fall in loss prevention’s court, LP professionals need to be aware of the ongoing risks and emerging concerns in data vulnerability and protection.
The technology firm Gartner, Inc. has studied five key areas of data security concerns that businesses face this year and has issued predictions on and recommendations about protecting networks and data from threats that may arise in each. One general recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business is probably a big mistake. While a bit technical in places, LP will benefit from exposure to the issues. Below are the predictions and recommendations as outlined by Gartner’s analyst Earl Perkins.
Threat and Vulnerability Management
Prediction: “Through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by data security and IT professionals for at least one year.” While continuing to look for data security vulnerabilities in applications, it is important for businesses to patch vulnerabilities in a timely fashion. If they don’t, they stand to lose money through damage of systems and data loss.
Prediction: “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.” An area of growing concern is the introduction of new technologies by business units without vetting by the data security team.
Avoiding that review and the fact that many of these technologies are new and still contain vulnerabilities makes them susceptible to attacks.
Application and Data Security
Prediction: “By 2018, the need to prevent data breaches from public clouds will drive 20 percent of organizations to develop data security governance programs”. Data security governance programs will be promoted by insurance companies that will set cyber premiums based on whether businesses have these programs in place.
Prediction: “By 2020, 40 percent of enterprises engaged in DevOps (development and operations) will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies” Here Perkins sees maturing technology called runtime application self-protection (RASP) as a way to avoid vulnerabilities in applications that might result from problems overlooked due to the rapid pace at which DevOps teams work. RASP does its work rapidly and accurately to provide protection against vulnerabilities that might be exploited.
Mobile and Network Data Security
Prediction: “By 2020, 80 percent of new deals for cloud-based cloud access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.” Vendors of traditional network data security products such as firewalls, SWGs, and WAFs want to be in on their customers protecting their applications, which is effectively accomplished via CASBs. Businesses should evaluate whether CASB services are warranted based on their plans for application deployment, and should consider offers by their current vendors of these traditional technologies.
Identity and Access Management
Prediction: “By 2019, 40 percent of identity-as-a-service (IDaaS) implementations will replace on-premise IAM (identify and access management) implementations, up from 10 percent today.” The increase in use of IDaaS will in part stem from the difficulty and expense of running in-house, on-premises infrastructure, and the growing use of other something-as-a-service offerings will make the decision more comfortable. The ongoing introduction of more and more web and mobile applications will create a natural opportunity for the transition from in-house IAM to IDaaS.
Security for the Internet of Things (IoT)
Prediction: “Through 2018, over 50 percent of IoT devices manufacturers will not be able to address threats from weak authentication practices.” IoT devices are still being made without much consideration for data security, and yet some are located in networks such that, if exploited, could expose data to harmful breaches. Businesses need a framework for determining the risk each IoT device type represents and the appropriate controls for dealing with them.
Prediction: “By 2020, more that 25 percent of identified enterprise attacks will involve IoT, though IoT will account for only 10 percent of IT security budgets.”
Since security pros won’t be able to determine the importance that IoT devices represent to the organization, the business unit that uses them should determine the risks they represent. Security pros should set aside 5-10 percent of IT security spending for monitoring and protecting these devices as needed.
As mentioned before, some of the content in this article is technical and often not the responsibility of LP. However, data security is a huge concern for retailers and something that is rapidly changing. While most LP professionals probably don’t need to become experts, general understanding of the issues will become more and more important going forward. Individual research to increase knowledge of the issues is encouraged.