In-depth

Leaving the door unlocked in information security

Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act.

Security

When it comes to securing their networks and data, too many businesses are fitting expensive locks, but leaving the keys under the doormat.

There's no doubt that the information security threat has increased over the last few years, with the growth of organised crime, and state-sponsored electronic espionage and cyber warfare.

But most hacks, researchers say, take place against systems that are not properly secured, or using well-known, often simple, exploits where a fix or patch is available. Hackers today are still compromising systems using vulnerabilities from two, three or even four years ago.

What is fundamentally lacking is an incident readiness capability

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

One piece of research, by the US standards organization NIST, found that some 90 per cent of cyber attacks were aimed at these known vulnerabilities. Companies might be forgiven for failing to act quickly against so-called "zero day" attacks, but not against those that have been around for months, or even years.

Part of the problem is the complex nature of IT systems: it is becoming harder to keep everything up to date, and to keep on top of all patches and vulnerability alerts. But part of the problem is also an unrealistic reliance on technology and automation. CIOs might believe their networks are protected, but no defence is impenetrable.

This problem is highlighted in the recent annual Global Security Report from Trustwave, an IT security consultancy.

According to John Yeo, the company's head of ethical hacking and incident response, companies are not only failing to secure systems properly, by ensuring their defences are up to date and systems correctly configured. They are failing to detect attacks, and not responding in the right ways when they do.

The problem of failing to detect attacks is especially worrying, as hackers can do untold damage in the time it can take a company to realise they have been compromised. In these cases, the breach can lead to the loss of tens of thousands of personal records or items of intellectual property that could have been secured, had the hack been detected and the malware removed.

And it is the lack of a proper incident response that is letting companies down, says Yeo. Businesses may invest heavily in disaster recovery and business continuity plans, and can be as prepared as possible for theft, fire or flood. But the disruption caused by a cyber attack is often left out of that planning.

Advertisement - Article continues below

"What is fundamentally lacking is an incident readiness capability," he warns. "You need to start with the mindset that at some point, you will suffer a breach. So you need to have people, processes and technology in place to respond when, not if, that occurs.

That incident response plan should be kept up to date, and the people involved should take part in exercises and drills. As Yeo points out, the best response teams are cross-department, and may not be people who work together on a day to day basis: not just IT, but HR, the legal team, and even physical security.

An efficient information security response plan needs to be kept up to date, as do information security tools. As the public awareness posters used to say: "lock it, or lose it."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/cloud-computing/354767/google-cloud-snaps-up-multi-cloud-analytics-platform-for-26bn
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/cloud/microsoft-azure/354771/microsoft-azure-is-a-testament-to-satya-nadellas-strategic-nouse
Microsoft Azure

Microsoft Azure is a testament to Satya Nadella’s strategic nouse

14 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020