Introduction
Most organizations have an attack surface that is constantly expanding. Those that have a security policy aimed only at preventing intruders at the perimeter are doomed to failure. The highest levels of security should be applied only to the most valuable data – this will increase the robustness of that data’s security. This requires a risk based approach to cybersecurity. There also needs to be a strategy for when (not if) perimeters are breached to mitigate losses.
Global business consultancy Protiviti has come out to say that the key to effective information security is targeted controls. Too often, the focus in a business is simply on keeping intruders out. This leads to a lack of any clear vision about what an organization is trying to achieve and is often used in place of any clear, coherent strategy.
Many businesses, writes Warwick Ashford for Computer Weekly, believe that they are powerless in the face of sophisticated, well-resourced cyber attacks. However, if an organization is clear about what information and systems really matter to it, then it is neither difficult nor costly to develop a strategy that focuses security on these particular areas.
The first thing to accept for any business is that it is impossible to protect everything at the highest level all the time. That said, protecting only the most important and valuable data is most definitely achievable. The biggest waste is when security systems are rolled out across an entire enterprise at a huge cost. Often, they are not fully implemented, meaning an inadequate level of protection for everything, instead of a high level of protection for the most important.
This leads to a lot of areas being covered when it is not really necessary to do so, and areas where cover is a big issue being left exposed. Instead of this, businesses should better understand their risks to enable them to properly deploy targeted controls for smaller, well-defined threats.
It can often seem that attackers have the upper hand. After all, they simply need to find one weak point to exploit an ever-expanding attack surface. Businesses can gain control, however, by taking full control of their IT landscape.
Most businesses do not seem to think about how to control attackers once they have breached the perimeter defenses, or how they can stop them from stealing valuable data. A lot needs to happen in the information security world before preparation for data breaches and testing of response capabilities are as embedded in our culture as, say, fire drills are today.
It is highly important for an organization to understand the implications of a breach of data assets to ensure it is able to effectively prioritize its IT defenses. It is easier, and more cost-effective, to apply security systems to particular cases/uses than to provide a general level of protection for everyone all the time.
A good analogy is the state of F1 racing in the 1980s. Being a driver was a dangerous job and small mistakes could lead to huge consequences. It took a few serious accidents to change the way F1 racing operated. It is taking serious data breaches to do the same to information security.
Summary
- Keeping intruders out at the perimeter is impossible
- Organizations should not therefore waste time and money trying to achieve this
- Instead they need a strategy where risk is assessed, with the highest levels of security placed around the most valuable data
- They also need strategies to deal with situations when intruders get in
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”