The business cybersecurity landscape is dramatically expanding in scale and complexity. From phishing scams, to ransomware attacks, to malicious breaches from state actors, the potential per breach threat to your business is not a trivial matter. According to the Ponemon Institute, the average per breach cost to a company in 2017 was estimated at $3.62 million.[i]
Fortifying our cybersecurity strategy is a critical priority at Equinix, as it is for our many customers around the world. In this blog from our continued series on the topics that keep CIOs on their toes, we’ll tell you about some of the best practices we employ to keep ahead of the quickly evolving cyberattack threat.
Three best practices to strengthen your cybersecurity strategy
We embrace three proven best practices to advance our cybersecurity mindset and reduce our organizational risk:
- Know the changing cyberattack landscape – According to Gartner, 95% of CIOs expect cybersecurity threats to increase and impact their organization.[ii] This is a shared problem among CIOs CISOs, CSOs and the rest of a company’s functional organizations – and they need to know the cyberattack landscape to effectively defend their businesses. The number of types of cyberattacks are changing as bad actors get more sophisticated. They are also increasing in complexity and scale, in particular:
- Phishing scams (with follow-up phone calls)
- Cyber extortion (ransomware), disruption and destruction
- Password security breaches and use of hard-coded credentials in source code
- Watering hole attacks (organization, industry or regional)
- Cyberattacks from state actors
- Bitcoin mining impersonators
An important part of understanding your cyberattack landscape is also understanding the multiple layers of attack surface area within your organization. At Equinix, we’ve identified a “top 10 information security risk register.” The risk register is actively managed by our CISO who presents it to our board of directors on a quarterly basis. The risk register is also shared with our Cybersecurity Steering Committee (described below) to further advanced our information security agenda company-wide.
- Create a company-wide cybersecurity task force – Given that there are multiple organizational and functional layers that make up a company’s cyberattack surface area, it takes an enterprise-wide effort to track threats and defend against them. This is why we created a Cybersecurity Steering Committee that consists of executives from our security, IT, product, compliance, assurance, risk and legal organizations. This committee reviews and prioritizes what’s on our security risk register and ensures there is an approved mitigation plan and multi-functional governance around our potential enterprise information risks.
Because the majority of participants in our committee have a seat at the leadership table, it makes it much easier to drive risk ownership and resolve issues across our respective business groups. It also helps us more swiftly drive corporate-wide compliance requirements to resolution, such as the General Data Protection Requirement (GDPR) and the 606 Revenue Standard.
- Evaluate your security budget against your threat level – Security budgets in IT are increasing across all industries. Gartner recommends that enterprises spend 4% to 7% of their IT budgets on security, depending on the threat level.[iii] For example, some threat levels may be extremely high, such as those surrounding personnel records and customer data. By evaluating your security budget against your organization’s various threats, you can better prioritize where to put your focus and security IT dollars. Keeping a running record of security risks (as we do with our risk register) that ranks the risk by impact level and likelihood, will help you develop a mitigation strategy and budget. This is also where security key performance indicators (KPIs) can help you see where your company is getting the greatest return from your security investment dollars.
How to fortify your cybersecurity capabilities
Some of the key strategies we’ve implemented at Equinix to fortify our security performance include:
- Security patching and systems hardening – To ensure all security updates are in place and security policies are being applied and vulnerabilities eliminated, we regularly patch to the latest system and security standards. This gives us the peace of mind that we are keeping on top of the latest available cybersecurity protections.
- Multi-factor authentication on all systems and apps – To decrease the risk of unauthorized access to our applications and systems, we use multi-factor authentication for all of our critical digital assets to ensure anyone accessing them is truly authorized. This gives us another level of defense to solidify our authentication and entitlement process for all Equinix applications.
- Endpoint and digital perimeter protection – Our endpoint security includes malware protection, which also has anti-phishing capabilities and enriches email security. We also take the time to educate our employees on phishing to make sure our workers know how to detect and identify phishing attacks. Since most of these threats come via some sort of malware that can get deployed from anywhere in the enterprise, it’s even more important to secure the digital perimeter. We have network defenses such as firewalls and security controls in all network appliances to secure our perimeter in every one of our global data centers.
Even though cyberattacks are growing in magnitude and impact as digital transformation increases on a global scale, you are not helpless against the bad actors who seek to cause real and costly damage to your business. A proactive, company-wide, integrated physical and digital security strategy that addresses cybersecurity threats at all levels of your business will provide you with both the offensive and defensive capabilities you need to handle whatever comes your way.
In my next blog, I’ll discuss how CIOs can transform the customer and employee experience. In the meantime, check out our Platform Equinix Vision paper.
[i] Ponemon Institute, “2017 Cost of Data Breach Study: Global Overview,” 2017.