Multifactor authentication topped the list of key security initiatives that companies plan to implement this year, according to data from the latest edition of TechTarget's IT Priorities survey.
The IT Priorities survey queried 624 IT professionals from a wide range of industries based in North America. Of the 287 IT professionals who chose to identify their companies' key security initiatives for 2019, 25% highlighted multifactor authentication as a top priority, followed by end-user security training (24%), endpoint security (23%), identity and access management (23%), and threat detection and management (23%).
Other key security initiatives include investments in email security, encryption, application security, vulnerability management, SIEM services and network traffic analytics, the survey found.
"These are exactly the kinds of security initiatives companies need to be implementing -- particularly end-user security training," said Francis Dinha, CEO at cybersecurity vendor OpenVPN in Pleasanton, Calif. "All the security in the world won't matter if employees aren't trained in how to maintain it."
However, planning and following through aren't the same thing, Dinha cautioned.
"I just hope that the momentum to carry these initiatives out this year stays strong," he said. "When security increases, and there are less breaches in the news, it's tempting to get complacent and let a few of these plans go."
The survey also asked respondents to identify the areas where they plan to increase budget spending. Of the 31% of respondents who chose to answer the question, 44% identified security and risk management as the most likely area for budget increase.
"Investing in your company's security is absolutely essential, and the value really is immeasurable," Dinha said. "How much revenue would your company lose if all your data was lost, or your system shut down? That's what you're investing in. That's what you're protecting. We all have budget restrictions, of course, but consider what you're risking if you don't invest in your company's security."
Spending on security and risk management should be a priority for more organizations, said Logan Kipp, technical architect at SiteLock, a website security provider based in Scottsdale, Ariz.
"As your business increases in size, the value of your assets -- such as equipment and data -- will also grow," Kipp said. "Your cost-benefit analysis should take into account the value of your assets and what your costs could be as a result of a breach."
Scott Crowder, CIO at Houston-based technology company BMC Software, said his company has been implementing many of these security initiatives over the past few years.
"They are helpful in creating a mature cybersecurity posture, so I'm not surprised to see them emerge as top priorities in the data," Crowder said.
End-user security training is an ongoing effort at BMC and comes in several formats, given that security awareness around phishing scams is a priority, he said.
To beef up security, the company has deployed McAfee's full suite of endpoint protection, Avecto's administrator rights control and Fidelis' endpoint detection and response tools for automated forensic collection and review, and it has an aggressive patching program utilizing BMC's endpoint management tool, Crowder said in an email interview.
"In 2019, we're focusing on refining our network segregation program and developing a complete security program for our cloud-based assets, following the CIS [Center for Internet Security] framework," he said.
Multifactor authentication and endpoint security
Gartner analyst Avivah Litan said she believes the best approach to multifactor authentication is to use contextual MFA.
"Don't use a one-size-fits-all approach; add different layers of strengths, depending on the risk of the transaction," Litan said.
When implementing MFA, artificial intelligence can be used to contextualize the interaction with the user, she said.
"If you're doing something seriously sensitive, then the AI would understand if this is not normal for this person to be doing such a sensitive operation at this time of day. So, now we need to see a biometric," she explained. "It can step up and down the authentication, relative to the context of that interaction."
She stressed the importance of implementing a multilayered security approach, of which MFA is only one layer.
Litan also highlighted the common problems associated with two-factor authentication. With SMS-enabled two-factor authentication, criminals can forward the SMS to another phone, she said. For those who use voice authentication or phone call authentication, by delivering a one-time password through a phone call, criminals can also forward those phone calls, she added.
"The strongest is having a separate hardware device that is not connected to your PC and that's password- or biometric-protected," Litan said.
For endpoint security best practices, Litan highlighted application whitelisting as an effective approach for blocking malware from entering and executing on endpoints. It only lets users go to the sites and run applications that are on a company's whitelist, she said.
"Whitelists are very difficult to manage and implement, but that kind of philosophy restricting user access to a finite set of approved applications is the most secure approach," she said.
Implementing machine learning and AI can also help to look for anomalies on the endpoint by looking for processes that are really abnormal, she said.
"Artificial intelligence can see things that rules can't. Rules are only what you know," she said. "Artificial intelligence should reveal things that you don't even know to look for, or that you haven't built a rule for yet," she said.
Best practices for security initiatives
Francis DinhaCIO, OpenVPN
Experts emphasized best practices for top security initiatives highlighted in the survey. SiteLock's Kipp said website attacks are now an inevitable part of doing business online. When it comes to threat detection and management best practices, companies should implement products and services such as a web application firewall to mitigate incoming attacks and scanning technology to automatically detect and remediate malware and vulnerabilities, he said.
However, a strong, proactive defense doesn't end there, he added.
"A fully staffed security operations team either on staff or through a security partner, with a well-defined incident response plan and training that addresses a wide array of contingencies, is the best way to ensure the ongoing efficacy of your defensive systems," Kipp said.
OpenVPN's Dinha advised IT pros to keep a close eye on the data their system uses, so they're aware of what's normal and what isn't, and also have a data backup strategy in place.
"Prevention is always the goal, but should your security be compromised, make sure you're prepared to deal with it," he said.
When it comes to identity and access management, automating processes for user profile creation, management and removal is an excellent start, Kipp said. Eliminating the human element helps to avoid missing steps or other mistakes in configuration, he explained.