Up until now, security has been mostly a catch-up game. A vulnerability is discovered, a patch is issued and applied, and so on and so forth.
However, as with all catch-up games, it will inevitably fail. By the time a new threat has taken hold, or the vulnerability has been found, it is too late. Companies will have been breached, and information or money stolen. A catch-up is a deadly game where security is concerned, and companies that are playing the game are coming off second best.
The only hope business have in successfully defending themselves is by being pro-active, instead of reactive. Any business who sees security as an afterthought will soon be in big trouble. Security must be considered at the starting point, aligned to business objectives, and built in at development level so that it is integrated into every process, and every aspect of the company.
Solid security comes with a mind shift, commitment and a good plan. Start by understanding exactly where you want the business to end up. Are you looking for the most state-of-the-art security systems out there? Are you hoping to merely do things at least as well as your counterparts and competitors? Or are you looking to implement the least possible security that allows you to avoid falling foul of regulatory bodies in the event of an incident?
Understanding what the aim is will help you understand what you can afford and also what you can’t afford. Risk assessment is the next step, and is a vital part of security planning. No plan can be put into effect until a thorough assessment of the risks has been undertaken. This assessment will provide a baseline for the development and implementation of any security plan in order to protect the most important business assets from today’s threats.
A powerful security solution is part of the basic protection all companies should employ, but that security goes much further than that. “Security should not only include virus protection and a spam filter, firewall and real-time protection against online threats, but proactive policies and strategies that will close any software security holes. Companies need to be clear about the dangers out there. Knowing what scams and tricks cyber criminals use is the only way they can protect themselves against these.
When assessing an organisation’s breach risks, look further than just IT security. Chat to HR to evaluate the company’s exit strategy for employees, have regulations in place for both on-premise and off-premise data storage, examine the current BYOD policy, and if necessary establish new policies to plug any holes.
You must have a plan in place in the eventuality of a breach. Having a plan of action will prevent indecisive hovering and operational paralysis should a breach happen. In addition, having such a strategy in place will reassure customers and regulators that the business has taken some preparatory steps to address a possible breach. Also, make sure that management are aware of their roles in the plan, and that this is filtered down to staff.
Getting into security shape is hard work, and takes time and dedication. There is no quick fix and no silver bullet. It’s not about merely buying a product any longer. The security landscape is a complex one, and several layers of defence at multiple points in the organisation are needed to successfully combat today’s sophisticated threats.
Lutz Blaeser, MD of Intact Security