by Mike Orosz, Director, Threat and Investigative Services, Citrix

You don’t need a research analyst to tell you how complex IT security is getting—you experience it every day. But the latest stats can be useful nonetheless, providing insight and nuance to understand the nature of the challenges and how best to address it. As a trusted security resource for our customers, it’s part of our role at Citrix to provide the information you need to develop the right security strategy for your business—manageable, cost-efficient and, most importantly, durable and reliable for the long term.

 In this spirit, this blog presents a wealth of research findings and analysis that Citrix invites you to consider and use in your written material such as blogs, whitepapers, etc. Read, explore, share, ponder—it’s all valuable material to help you protect your organization in the digital era. Our only ask is that you cite Citrix with the following reference when you use these stats: “The Need for a New IT Security Architecture: Global Study from Citrix and the Ponemon Institute.” Now please read on and enjoy!

Cloud, mobility, BYOD, IoT, GDPR—help!

A recent global survey conducted by Citrix and the Ponemon Institute (The Need for a New IT Security Architecture: Global Study on the Risk of Outdated Technologies) reads like a litany of pain for everyone involved in IT security. Organizations today are more dynamic than ever, expanding, contracting, merging and acquiring to adapt to changing business needs. The enterprise workforce has expanded to encompass partners, contractors, consultants and service providers, making unified IT control more elusive than ever—while BYOD means that IT can’t even count on full control over the devices used by the company’s own employees. Mobile devices roam across locations and networks, generating security risk every step of the way.

As if user devices didn’t pose enough of a security challenge, Gartner reports that 43 percent of enterprises will adopt IoT as part of their business operations by the end of this year, bringing all kinds of new connected devices into the environment. The Citrix-Ponemon survey found that 75 percent of IT, CISO and business executives report that their organization is not fully prepared to deal with the security risks posed by IoT. They’d better come up to speed fast—experts predict that 2017 will see further DDoS attacks via unsecure IoT devices as well as the rise of IoT ransomware. 

And it’s not just ransomware and other malicious threats that are evolving at dizzying speed. The compliance requirements coming online over the coming year make the rules we’ve already been following seem like kid’s stuff. Have you come to terms with the European Union’s General Data Privacy Regulation (GDPR) yet? If your organization works with even a single customer or individual in the European Union, GDPR will be a very big part of your life for the foreseeable future. Want to get ahead of it? This infographic provides a high-level roadmap.

Complexity kills security

All this complexity is having a dramatic impact on the security profile of enterprises. (If you’re getting demoralized, hang in there—the “what you can do about it” part of this blog is coming soon.) A full 83 percent of survey respondents said that the complexity of business and IT operations leaves them vulnerable. For example:

• 64 percent of survey respondents reported that they have no way to reduce the inherent risks of unmanaged data
• 71 percent are unable to control employees’ devices and applications
• 76 percent consider the integration of third parties into internal networks and applications to be a huge risk factor
• Only 48 percent have security policies in place to ensure that employees and third parties only have the appropriate access to sensitive business information

It’s no exaggeration to say that gaps like these can pose an existential threat, leaving organizations one lapse or breach away from a nightmare of regulatory fines, bad PR, lost customers, damaged business relationships, disrupted operations and more. These days, the security stakes couldn’t be higher [infographic].

Stop investing in yesterday’s architecture

IT leaders aren’t taking the danger lying down. According to the Cybersecurity Market Report, worldwide spending on cybersecurity will top $1 trillion for the five-year period from 2017 to 2021, while the Citrix-Ponemon survey found that 98 percent of businesses will invest at least $1 million in the coming year. But if they’re buying the same kind of solutions as they have been, it’s not going to do them much good. Seventy percent of survey respondents had made security investments they’ve been unable to deploy, and 69 percent report being stuck with existing security solutions that are outdated and inadequate.

 Security professionals do recognize the need for better tools—65 percent of respondents believe that an improvement in technologies will improve security and reduce risk. But what kind? More and more point solutions will only increase complexity and fragmentation while inevitably leaving gaps. What’s needed is a new security architecture designed for the way people and organizations work today.

 To maintain security in every scenario—every device, every network, every user, every resource—you need a holistic framework that protects apps and data at all stages, in use, in transit and at rest, no matter where they’re used, on any device. That means building security into the DNA of your IT infrastructure, implemented through technologies including the virtualization of applications, desktops and networks; data centralization; and layered security on data sources with contextual access policies that allow the right level of usage based on the user’s current profile and situation. This kind of approach can let you simplify and streamline from the 30 – 40 security technologies in place at many businesses to more like three or four—while actually improving protection.

The millennial effect (and boomers and gen-Xers)

While we’re talking about security architecture and technologies, it’s important not to forget the human factor. A staff loaded with security ninjas would obviously help, but that’s an impossible dream in today’s tight talent market; while 72 percent of those surveyed said that an improvement in staffing would improve security, only 40 percent were successfully hiring knowledgeable and experienced security practitioners. You’re going to have to look to your broader enterprise workforce for answers. The first step is to understand who you’re dealing with—and their impact on risk.

 We hear a lot about millennials these days, but keep in mind that the enterprise workforce is still well-stocked with gen-Xers and baby boomers as well. The diverse behaviors of these groups have direct implications for your approach to security. Consider:

• Millennials and gen X are seen by IT and security professionals as the most likely to be careless or negligent about following security policies (26 percent and 30 percent of respondents, respectively, compared with 16 percent for baby boomers).
• Millennials (39 percent) are seen as more than twice as likely as baby boomers (16 percent) to use unapproved apps and devices.
• In contrast, baby boomers are seen as by far the most susceptible to phishing and social engineering scams (33 percent), or to be unaware of how to protect sensitive and confidential information (30 percent).

 Part of IT’s mission is to empower users of all types to work productively without undermining security. We recommend a complete approach based on five essentials:

• Contextual identity and access control to allow the appropriate levels of access and usage based on the user’s current location, device, resource and network.
• Network security designed to let people to connect securely from wherever they’re working, whether at home, in a café, on the road for business, overseas or anywhere else, with a seamless, consistent and transparent user experience.
• App and data management based on the centralization of Windows apps and data, and the containerization of mobile apps, all managed and controlled centrally to reduce risk and ensure auditability.
• Monitoring and analytics for end-to-end application traffic, with full auditing and accounting of resource access. Anomalies such as overly risky behavior or usage patterns that diverge from long-time norms should be flagged immediately for investigation.
• Employee awareness to make sure everyone in your multi-generational workforce understand the ABCs of security in today’s world, from the importance of password hygiene and phishing alertness to the perils of a jailbroken smartphone.

You can learn more about security for the multi-generational workforce in this blog, “All Generations, All Risks, All Contained: A How-To Guide”.

Yes, security poses a daunting challenge in our changing world. But it’s not insurmountable. In fact, the right approach can make security simpler than every—as well as more comprehensive and effective. Citrix is here to help. To explore further, you can start by visiting our Citrix.com/secure page.

Mike Orosz
Director, Threat and Investigative Services, Citrix