PCI Security Standards Council director says that security needs to be integral to operations

He also highlighted that many organisations are failing to adhere to the PCI Data Security Standard (DSS) - resulting in around £1 million of card fraud losses per day in 2010 - and advised that compliance is not just about preventing intrusions, but also about ensuring systems are in place to alert organisations to any misuse of data.

Commenting on King's warning, Ross Brewer, vice president of LogRhythm, the audit and log management specialist, said that, whilst organisations are beginning to realise the importance of protective monitoring, many do not fully understand the scope of what it entails.

Jeremy King, he says, is right to highlight that we cannot rely on a single solution to prevent data breaches, however, many organisations often place too much faith in traditional security methods that try to fence-out the threat.

"The repeated high profile security incidents currently making the news should have proved to everyone that data breaches are now inevitability", he said.

"Today, defending networks depends on traceability - organisations need the ability to connect seemingly unique events so that anomalies can be identified and action taken to minimise damage", he added.

According to Brewer, as Jeremy King says, with the right policies in place `you may not prevent ten records from going out, but the likelihood of preventing it before it reaches 75 million is definitively increased.'

The LogRhythm vice president is also in favour of protective monitoring, but cautions that companies should not fall into the trap of viewing the monitoring as a one-time-only compliance requirement.

To be effective, he asserts, protective monitoring must involve on-going analysis of all log data.

"In addition, due to the volume of logs generated by modern IT systems, and the increasingly disparate nature of networks, it is vital that they consist of automated, centralised and fully integrated log management platforms", he said.

"In the current marketplace of increasingly complex IT and data operations, this approach is the only way to provide the deep insight required to secure the IT estate and guarantee compliance with regulatory obligations like PCI DSS", he added.

What’s hot on Infosecurity Magazine?