IT Teams Must See Security as a Business Enabler
The Paypers - April 11, 2017 by Danielle Jackson
The scale of data breaches in 2016 was unprecedented, with more than 2.2 billion records stolen and nearly 3,000 public data breaches.
As highlighted by Towergate Insurance, 97% of organisations still neglect to prioritise online security improvement for future business growth. With the implementation of GDPR rapidly looming, being negligent in this way is no longer an option that anyone can afford. Take the infamous Yahoo! breaches of last year, rather than a meagre fine of GBP 500,000, a sum that they more than likely turn over in less than half a day, the search giant could instead face a fine of circa. GBP 196,000,000.
Security should not be decided by cost. It is inevitable to think that cost will never be a factor, but it is all too common that IT purchase decisions are driven solely by price rather than need. Companies will try to implement the bare minimum and, in some cases, also sacrifice usability and by extension, business productivity. Employees who aren’t confident in the tools and systems they are provided often turn to “shadow IT” tools, many of which are cloud-based file sharing applications that are not officially approved for use by the IT department.
What are the challenges that hold business back?
- The IT umbrella
Over the last decade, the business landscape has changed dramatically. Every business is now reliant on IT systems and the Internet in order to function. As a result of our dependence on IT systems and connectivity, security has arguably been pushed up the corporate agenda. It’s another form of risk that happens to cut across every organisation. It’s also a board issue and a critical priority for management as well as shareholders. Despite this, many organisations are mistaken in continuing to view security as an IT issue and utilise the same budget to cover it.
But a breach could easily mean going out of business if their intellectual property is stolen, or if they are discovered to have been a launching pad for attacks against a larger business partner. Security holds insurmountable importance.
- A lack of consistency from above on the importance of security
Like all sources of risk, security must be incorporated and addressed at the leadership level of the business. Currently, leaders at the front lines of IT typically prioritise security, this cannot be said for the rest of the executive team. The challenge for many security professionals lies in successfully communicating their passion and enthusiasm to the senior level. Often, it is a struggle to properly express security concerns whilst keeping audiences engaged. But not having a dedicated in-house cybersecurity programme to educate and protect your network, sensitive data, and employees, is the equivalent of not checking if your doors are locked at home, then hoping for the best.
- Many are unaware of their assets
Many organisations are actually unaware of all of their assets. Even those with a dedicated security specialist may not have visibility of every department in the business due to the often siloed approach to content. It is essential to carry out a thorough review of where a business’ ‘crown jewels’ are and what security measures are in place. Evaluating whether it is really up to preventing the latest threats posed by ransomware actors and other cybercriminals.
Whether we like it or not, security is linked to the business strategy, and those that understand their assets will be able to make more informed decisions, manage problems better and ultimately provide more disclosure.
- The vulnerability of supply chain security
Staying on top of just your own organisation’s security and technology is challenging enough. But tracking a third party “wildcard”, from a security perspective, is almost near-impossible. Supply chain security, the vulnerabilities and the connections between businesses represent risks that major companies need to also be considering. This is a growing problem, last year there were reports of several big US companies suffering major breaches due to security compromises in smaller businesses they had relationships with.
- A lack of dedicated cyber security staff
It is undoubted that some progress has been made and many organisations have started to understand the need of having a dedicated security staff, in fact, demand for a cybersecurity workforce is expected to rise to 6 million globally by 2019.
But it is no secret that cyberterrorists are getting more skilled and insidious every year and we are yet to see this replicated business-wide.
There is no doubt that some progress has been made, however it is essential that this ‘bare minimum’ attitude does not extend into the GDPR regime. Particularly when the requirement is two factor authentication, an outdated security measure. While 2FA methods are certainly better than username and password alone, hackers are proving time and time again that they can gain access with stolen credentials. Whereas, preventing the misuse of stolen credentials entirely solves more of a business and security problem than a security problem alone.
A more robust and adaptive approach is needed to provide maximum protection and enterprises must explore new authentication solutions. Modern approaches such as adaptive access control techniques bring greater security to organisations attempting to ‘close their front door’ to attackers, while not bothering authorised users unless there is risk. Security must be recognised company wide, protecting assets and users across the business. As well as be easy to use in order to prevent employee workarounds that expose network vulnerabilities.
Read the full article here