According to IDC research, sponsored by SAP, only 33 percent of surveyed companies have a formal vulnerability and management process to remediate security flaws in enterprise applications.
However, almost 40 percent of respondents said eliminating security vulnerability was a top priority. That gap was among the fascinating reveals I heard in a recent conversation with two security experts during a webinar that I hosted entitled, Securing the Intelligent Enterprise. Here are my top three takeaways from our talk.
Make security a group effort
Robyn Westervelt, research director of security and trust at IDC, said that longstanding problems like managing encryption and addressing application vulnerabilities are catching up with companies as hybrid and multi-cloud environments become the norm. What’s new is how IT security isn’t alone in addressing these challenges.
“There is this lack of visibility and control felt not only among IT security personnel, but also with line-of-business IT and operations personnel…security is increasingly working with data analysts and data owners, even on the issue of data quality,” said Westervelt. “And, the regulatory environment is driving enterprises to address privacy and trust like never before…they have to answer two most important questions: where are my most critical assets, and who has access to them?”
Don’t overlook security basics
Given the growth of high-profile data breaches and cyberattacks, you’d think companies wouldn’t be caught without fundamental security measures in place. Not so, said Westervelt. She shared how one consumer goods manufacturer had no modern backup systems when it was hit with a ransomware attack. The massive losses cost the company millions.
“They couldn’t run production lines…and senior management had to call in retirees to figure out formulas for several longstanding products,” she said. “They now have a chief information security officer building a security program from scratch beginning with authentication and identity and access management and moving straight through to data security, encryption, and more.”
With data from many devices across different systems, inside and beyond organizational walls, it’s no wonder over 40 percent of IDC survey respondents said they were challenged to securely manage information access and integration. Still, that’s no excuse for not taking preventive steps, such as patch updates. Ralph Salomon, vice president of enterprise security at SAP, described how one customer recovered quickly from a ransomware attack.
“The head of infrastructure called me to say ‘thank you very much for [pushing] us to focus on getting our patches implemented on time in our environment because it saved us so much effort.’ We had…proper backups available to restore data very fast,” he said. “Implementing application patches adequately is very important…ensuring basic [security] hygiene.”
Commit to risk-based security framework
Both experts agreed that identifying the most critical security risks and allocating resources appropriately was crucial for every company. Westervelt said the most successful companies commit to a security framework. She directed the audience to several trusted frameworks that hundreds of thousands of developers already follow.
“I’m a believer in secure software development, injecting security in at the earliest stages because bolting on security is costly after the fact,” she said.
In a cloud-based world, Salomon said it’s vital to consider the cascading potential for threats across an organization’s ecosystem. Attackers can enter an organization through customer or partner systems. This is factored into SAP’s overall security strategy.
“We are engaging with our customers looking at the key requirements so we can extend these demands across our portfolio,” he said. “We’re constantly evolving security…Everything is linked to our company strategy…our purpose is to make the world run better and improve people’s lives by securing the intelligent enterprise for customers and SAP.”
Foiling cybercriminals and protecting private data will only get more difficult. I don’t have space to recap our entire conversation, but the replay details important advice, including what every company should demand from their software vendor when it comes to security, and how to thwart the most common breaches that continue to ensnare unprepared organizations.
Follow me @smgaler
Watch webinar replay: Securing the Intelligent Enterprise