Gary Eppinger, Global CISO, Carnival Corporation
If 2014 is to be remembered as the year of cyber-attacks, then what’s ahead in 2015? Once an occasional disruption, it’s almost as if a security breach is a rite of passage for companies--according to JPMorgan,some 76 million accounts were hacked in 2014. It’s enough to keep any IT security professional up at night.
Last year’s lesson was that it is extremely difficult to keep unauthorized personnel out of the enterprise. We also learned that systems and processes we previously relied on to protect the enterprise are no longer adequate for the growing threats. That is why I believe this will be a year of change in how information is exchanged both nationally and internationally.
As a company that processes millions of transactions daily around the globe--across time zones, geographies and political boundaries—Carnival Corporation and our nine cruise line brands are continuously improving IT security systems and practices to protect the data with which we have been entrusted. While the list of things we must think about is never-ending, I’ll share the five key areas for our focus in the coming months.
Weak Links Exploited
When you consider how enterprises have been extended by connections to third parties, customers and interconnected business ecosystems, the measures to secure these organizations are more complex than ever. Arguably,they are vital to every organization's global business operations. However, these “weak links” in the supply chain–suppliers and consultants not protected by sophisticated security safeguards–are attractive targets for hackers. That means increased risks for the confidentiality, integrity and/or availability of this data being compromised. Today’s security chiefs must remain ever-vigilant when it comes to securing the valuable and sensitive data routinely shared with suppliers.
Surprisingly, your own employees can also be a weak link–and one that is often is overlooked when assessing your vulnerabilities. Here is why: Employees are generally very helpful, going out of their way to assist coworkers, customers, vendors and partners. Bad guys take advantage of this. They masquerade as employees of suppliers or representatives of some other legitimate business partner and launch targeted phishing attacks, singling out specific organizations or groups of individuals. The message is clear: Double down on training and awareness programs to ensure employees have the knowledge they need to be effective in protecting data.
The world’s love affair with mobile devices is here to stay. According to the Ericsson Mobility Report released just a few months ago, by the year 2020, 90 percent of world’s population over the age of six years old will have a mobile phone. While impressive, the more we use these types of devices, the more we create opportunities for hackers. In 2014 alone, mobile device security risk increased by 25 percent as some form of cyber-attack infected 16 million mobile devices.
Compounding the issue is the growing prevalence of employees accessing enterprise systems and data using mobile devices. In fact, Gartner predicts that by 2017, half of employers will require employees to supply their own mobile devices to use in the workplace. This trend exponentially increases the risk to any corporate IT system. Smart information security executives are carefully evaluating these new practices for potential security gaps to shore up any existing and potential future deficiencies.
Securing Emerging Technologies
In addition, we are anticipating the growing popularity of consumer technologies such as camera headsets like the GoPro or computerized watches like the iWatch. As our customers and employees use more of these technologies within our enterprise, new security concerns will arise. Already hackers are likely working on ways to gain access to these devices and the information they store in the cloud. It will be our jobs to stay one step ahead of these would-be hackers.
It’s obvious that passwords and usernames are no longer able to provide the level of protection they once did, so CIOs are seeking new and different approaches to authentication. Options include two-factor solutions, smartphone verification or methods such as a token or biometric recognition. We are evaluating this and other options within our own operations that will allow secure access to critical information.
Threat Intelligence Sharing
This will become the norm in 2015–within our industry and between enterprise and government organizations. Integrated threat intelligence makes other security monitoring and controls far more effective. That’s why we at Carnival participate in these initiatives:
- Information Systems Audit and Control Association (ISACA)–This is an independent,non-profit, global association that aids in the development,adoption and use of globally accepted, industry leading knowledge and practices for information systems.
- Infra – A partnership between the FBI and the private sector, its objective is to prevent hostile acts against the U.S. The initiative is comprised of businesses, academic institutions and state and local law enforcement agencies.
- Cyber Security group within Cruise Lines International Association (CLIA)– Our company participates with other cruise operators in the regulatory and policy development process. The group forges strategic relationships among key cruise industry suppliers and interacts with government agencies.
As cyber attackers learn more about companies’security programs, they will find new ways to infiltrate. That means security is a round-the-clock, 365-days-a-year job. You must be keenly aware of what is happening with your systems at all times. While difficult, this can be done. Our industry has made vast improvement in analytics tools and automated systems that are getting smarter everyday about identifying anomalous patterns. Earlier detection and mitigation will be critical to helping safeguard systems.
It’s also important to note that security is no longer the sole responsibility of a few small teams within the enterprise. In our ever-connected, technologically complex world, security is now part of every employee’s job–something every person is responsible for every single day. It is vital that employees understand this. To be effective, security cannot function as a separate practice, occurring independently from the day-to-day operations. It must be integral to every job, in every department and in every location, every day.
"The world’s love affair with mobile devices is here to stay"
In the end, vigilance is the key.There is no question that threats will continue evolving, coming from new and unforeseen sources. But working together as an industry, we will continue improving our processes for early detection and mitigation,so even the smallest unauthorized intrusion can be averted. Of this, I am confident.
It is that confidence–and the confidence I have in my fellow employees, our strategic vendors/partners, our commitment to improving our security controls, and our ability to react quickly to mitigate events–that allows me to can get some sleep at night.