The world of IT is driving automation and improving service delivery all the time. This is having a direct and positive effect on company revenues as well. It is entirely unfortunate that some of this has being eaten up by the ever more complex ways that criminals and hackers are finding to get hold of your sensitive data. The sheer number and complexity of cyber security incidents are now growing far more quickly than security staff employed to keep up with them.
Despite the millions invested in security technologies such as anti-malware, next generation firewalls, encryption and more, Vijay Basani – co-founder, president and CEO of EIQ Networks – writes in SCMagazine.com, to tell us that the era of sole reliance on signature-based technology and compliance-driven risk management is coming to an end.
Worse than simply the increasing amount of attacks, is that the nature of these are becoming more sophisticated and more intelligent. Their ability to target vulnerabilities, both systems and people, can now completely circumvent many traditional, signature-based tools. The high-profile attack at Target – resulting in the compromised data of 40 million customers – is a prime example of how a company has invested millions in the absolute best security measures, yet still fell foul of these more switched-on attacks.
Organizations, especially in banking, retail, education, health care and media, not only need to worry about the disruption to business and the negative PR, but also from the class action law suits from customers that could result. These new developments must force organizations to reassess their approach to IT security.
Implementing Critical Security Controls (CSC) can proactively find weak links in an organization’s IT infrastructure, including the people, process and technology. Continuous assessment of the situation can help identify the attacks, patterns and suspicious behaviour that signify an attack while at the same time improving overall IT security.
According to a 2013 survey, less than 10% of organizations had proactive and automated assessment of security controls. The question arising from this is “Does our organization have a way to detect unauthorized access?”
Unfortunately, it is impossible to secure any network completely. However, by continuously knowing who, what, when, where and how with regards to your infrastructure you can massively reduce the risk of an attack. Mobile employees, contractors with privileged access, and other potential ‘access’ points should be monitored heavily against the threat of disclosing commercially sensitive data – whether intentionally, accidentally or indirectly.
Companies that implement more vigorous controls see meaningful and tangible benefits, resulting in a marked decreased in malware, vulnerabilities and attacks. Furthermore, implementation of CSCs means that an organization’s security infrastructure can respond to the rapidly changing threat landscape.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”
The Breaches We Don’t Know About
Stories of major data breaches continue to roll in. One victim announced during the spring was hard drive maker LaCie...