Gartner predicts there will be an estimated 8.4 billion IoT devices by 2020. Tenable President, Chief Operating Officer and Co-Founder Jack Huffard discusses how the proliferation of digital assets and connected devices are creating an exposure gap in cyber defense — and shares how organizations can fight back against cyber-attacks. Huffard participated on the Successful Cybersecurity Growth Companies In the Region panel at the Capital Cybersecurity Summit on Nov. 15, 2017.
It’s been more than two years since the Office of Personnel Management (OPM) disclosed one of the largest data breaches in history, but just last week, the agency’s inspector general gave them a failing grade when it comes to critical areas like risk management and contingency planning.
In addition, the data breaches and attacks we’ve recently seen across a variety of industries, including entertainment, critical infrastructure, retail and finance, make it clear that all organizations are still failing when it comes to basic cyber hygiene.
Today, a company’s assets range not just from laptops to servers, but include mobile devices, internet-connected appliances and the cloud. The latest research shows the number of these assets are only going to increase. For example, Gartner predicts there will be an estimated 8.4 billion IoT devices by 2020. And according to a 2016 IDG Enterprise Cloud Computing Survey, 70 percent of organizations already have apps in the cloud and 16 percent more will in 12 months. This modern, elastic attack surface, where the assets themselves and their associated vulnerabilities are constantly expanding, contracting and evolving, has created a massive gap in organizations’ ability to truly understand their cyber exposure at any given time.
Another major component of today’s elastic attack surface is operational technology (OT), particularly given the growth in the risk of cyber-attacks against critical infrastructure sectors. A recent Ponemon Institute study on the state of cybersecurity in the U.S. oil and gas industry found, for example, that OT targets now comprise 30 percent of all cyberattacks. Like cloud and IoT assets, the cyber exposure gap is exacerbated by the mismatch of cyber measures deployed by critical infrastructure companies and the rapid pace of digitization in operations. Operational technologies present an additional challenge – they often can’t be assessed with the same approaches as IT assets, creating blind spots for security operations and compliance teams.
We recently announced a partnership with global engineering and technology leader Siemens that aims to address those unique risks. The product, Industrial Security from Tenable, was designed specifically for industrial control systems and will be delivered through Siemens to give energy and utilities companies full visibility into production networks to reduce compliance risk and their cyber exposure.
Both public and private organizations in every sector need to change their approach to cyber risk to effectively manage their cyber exposure. That starts with understanding and protecting what matters most across their entire attack surface. And it means looking at server and endpoint hardening, IoT discovery and hardening, container and web app vulnerability identification and OT asset and vulnerability detection.
Understanding risk and cyber exposure is also an awareness issue that should start at the top. If the C-suite and board of directors know which areas of their business are secure or exposed, that knowledge can drive strategic business decisions, including where and how much to invest to reduce risk. Attackers will always find the weak link, and right now there are too many weak links – even more than companies are aware of.
This year alone, there were several high-profile, large-scale cyber-attacks, including the NotPetya destructionware, CrashOverride/Industroyer threats to critical infrastructure, and the Reaper IoT botnet. No organization wants to experience one of these security headlines firsthand, which claimed millions of dollars in company damage and compromised sensitive customer data. Only with a holistic approach that starts with basic cyber hygiene – visibility to identify all assets and their vulnerabilities – can companies secure today’s complex attack surface.