Leaving the door unlocked in information security

Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act.


When it comes to securing their networks and data, too many businesses are fitting expensive locks, but leaving the keys under the doormat.

There's no doubt that the information security threat has increased over the last few years, with the growth of organised crime, and state-sponsored electronic espionage and cyber warfare.

Advertisement - Article continues below

But most hacks, researchers say, take place against systems that are not properly secured, or using well-known, often simple, exploits where a fix or patch is available. Hackers today are still compromising systems using vulnerabilities from two, three or even four years ago.

What is fundamentally lacking is an incident readiness capability

One piece of research, by the US standards organization NIST, found that some 90 per cent of cyber attacks were aimed at these known vulnerabilities. Companies might be forgiven for failing to act quickly against so-called "zero day" attacks, but not against those that have been around for months, or even years.

Part of the problem is the complex nature of IT systems: it is becoming harder to keep everything up to date, and to keep on top of all patches and vulnerability alerts. But part of the problem is also an unrealistic reliance on technology and automation. CIOs might believe their networks are protected, but no defence is impenetrable.

Advertisement - Article continues below
Advertisement - Article continues below

This problem is highlighted in the recent annual Global Security Report from Trustwave, an IT security consultancy.

According to John Yeo, the company's head of ethical hacking and incident response, companies are not only failing to secure systems properly, by ensuring their defences are up to date and systems correctly configured. They are failing to detect attacks, and not responding in the right ways when they do.

The problem of failing to detect attacks is especially worrying, as hackers can do untold damage in the time it can take a company to realise they have been compromised. In these cases, the breach can lead to the loss of tens of thousands of personal records or items of intellectual property that could have been secured, had the hack been detected and the malware removed.

And it is the lack of a proper incident response that is letting companies down, says Yeo. Businesses may invest heavily in disaster recovery and business continuity plans, and can be as prepared as possible for theft, fire or flood. But the disruption caused by a cyber attack is often left out of that planning.

Advertisement - Article continues below

"What is fundamentally lacking is an incident readiness capability," he warns. "You need to start with the mindset that at some point, you will suffer a breach. So you need to have people, processes and technology in place to respond when, not if, that occurs.

That incident response plan should be kept up to date, and the people involved should take part in exercises and drills. As Yeo points out, the best response teams are cross-department, and may not be people who work together on a day to day basis: not just IT, but HR, the legal team, and even physical security.

An efficient information security response plan needs to be kept up to date, as do information security tools. As the public awareness posters used to say: "lock it, or lose it."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020