Military history tells us that many battles need to be fought before a war is won, and when it comes to fighting cybercrime, the same holds true. Continuous headlines about security data breaches show us that there are still more challenges ahead.
For example, the criminals who recently hacked into Google’s systems allegedly attacked more than 100 other companies, and in February it was reported that hackers stole customer names and payment card information from a leading hotel group. The list goes on, but the good news is that the vast majority of organizations are more determined and better placed than ever to protect their data, brand value and reputation.
Over the past few decades there has certainly been greater awareness and investment in information security. But at the same time, the level and sophistication of attacks has also increased. So with breaches still happening, it should come as no surprise that many business and government leaders are asking what more can be done.
In some cases breaches happen because there was inadequate protection in place; but in many other instances, breaches happen despite robust integrated control structures throughout the enterprise.
So, is the solution additional investment in more advanced tools and products, or should money be spent on further security awareness training in an attempt to change people’s behavior and the culture surrounding security and privacy?
These are substantial questions, and while it is possible to draw conclusions, meeting the challenges of protecting information can only be achieved through a structured, informed and methodical approach.
The first step in determining how to better protect against cybercrime is to truly understand the nature of the attacks. For example, are they perpetrated primarily from external sources and focused on target organizations, or are the majority undertaken by insiders?
A careful analysis of attacks faced by a single organization or organization type should be followed by a thorough review of the effectiveness of current security programs and control frameworks.
An effective strategy for protecting information can only be developed based on a detailed understanding of the threats, vulnerabilities and control gaps in the operating environment. It may be that additional investment in products and technology solutions is required or, alternatively, the existing security and business processes may simply need to be refined.
The key point here is that there is no one-shot solution for information security. Protecting information requires constant vigilance and application.
So, can organizations ever completely protect themselves from the likelihood of data breaches? With new technology emerging all the time and the nature of the attacks constantly changing, it is likely that some vulnerability will always exist; but that doesn’t mean the criminals will win. What organizations need to do is to arm themselves with all the latest methodologies and tools at their disposal and harness knowledge and expertise through working with organizations such as the ISF. This way we will be able to reduce the level of risk and win the daily battles.
Here are just some of the things private and public-sector organizations anywhere in the world need to do:
- Understand the implications of ubiquitous access and distributed information
- Appreciate the enterprise-wide nature of security
- Overcome the lack of a clear strategy and game plan
- Establish proper organizational structures and segregation of duties
- Understand complex global legal compliance requirements and liability risks
- Assess security risks and the potential magnitude of harm a date breach would have on the organization
- Determine and justify appropriate levels of resources and investment
- Deal with the intangible nature of security
- Reconcile inconsistent deployment of security best practices and standards
- Overcome difficulties in creating and sustaining a security-aware culture
We may never totally rid ourselves of security breach headlines, but by working together, we can stay one step ahead of the criminals.
Simone Seth is senior research consultant at the Information Security Forum (ISF). She joined the ISF in 2006 and provides thought leadership and consulting services to ISF members in the areas of information security, information risk management, regulatory compliance and information security governance. Seth has produced research on topics from information security compliance, data privacy and wireless LANs, to outsourcing, third-party relationship management and trends forecasting. She has more than twenty years of experience in the financial services industry and has held senior roles with companies such as Deutsche Bank, Citibank and JP Morgan Chase, specializing in information security, data privacy, business continuity, security architecture and regulatory risk management.