First, let’s take a look at what is often badged as the ‘cyber threat brigade’. For the last couple of years, if not more, we have said there is no silver bullet but this has now manifested itself into the forecast that you are going to be breached.
Now let’s go back to our analogies – our usual favourite is the car. Imagine going into a car showroom and asking about the brand new car that you have had your eye on for a while. The sales guy then says to you: “We know you are going to have an accident, so we haven’t fitted the best breaks – they’re OK and should be effective most of the time. We also tested the airbag last year and it seemed to be fine then but we have installed the latest and best available safety belt as it is required by law and we have to comply to regulations and best practice. It is a pain but, in this day and age, everyone has to be compliant to gain customer loyalty.”
Another old favourite analogy is the castle – a classic layered approach and defence in depth. “Captain are we secure? Yes, we tested the drawbridge and it only lets in those that we think are safe to come in and we have ensured that the guards are vigilant but, with the skills shortage at the moment, we are taking anyone who can stay awake to be honest and show some interest in keeping the bad guys out. We have also kept the secret tunnel open just in case we need the backdoor.”
In all seriousness, anyone taking this approach in business will not last too long and we are very aware of the risks and the seriousness of the headlines. However, the vast majority of businesses are working hard to ensure that their customer data remains secure and that they are protecting their employees and customers with the same due care and attention.
In my view, we have done a lot to secure business and personal information over the last few years and, whilst we know the threats are constantly changing, understanding the risks to the business still needs to be articulated and managed effectively. We all know that car breaks are there to enable us to go faster. Likewise, information security and proper risk management should be used in the same way to enable businesses to assess the right risks and put in the most cost effective controls. This requires a comprehensive approach to risk management that covers all aspects of information security – not just the perimeter or endpoint but every aspect including applications, data and identity.
Take a look at our recent Risk:Value report to see that we still need to work on ensuring that all levels within the business understand the risks and take appropriate measure to protect personal information. Technology will continue to be developed that address a specific risk but, these have to be placed in an enterprise security architecture that matches the business appetite for risk. Reducing complexity should also be part of the overall approach – not just in terms of the technologies deployed but also in the management and policies applied. Businesses are merging and growing, leading to complexity that simply can’t be managed effectively.
Car safety and castle building have come a long way over the years but both have benefited from learning the lessons when an incident occurs and continually assessing the risks. Information security has to continue to evolve but some basic steps in prevention is still better than the cure.
- Regularly test your environment inside and out
- Reduce complexity in your infrastructure and management policy and rules
- Have a comprehensive Enterprise Security Architecture
- Understand the real risks to your business and spend wisely
Cyber security isn’t working. Too many companies are being breached; and governments globally are recognising the need to invest heavily to protect vital services and infrastructure.