Blind faith in security standards could create cyber vulnerabilities
By Seth Berman.
As 2014 draws to a close, it is becoming increasingly clear that cybercrime is an omnipresent threat, with the potential to touch every corner of society. But with almost every one of the high-profile breaches in the recent past taking place after the organizations had passed their IT audits and been certified as compliant with the relevant security standard, why are we still witnessing large-scale incidents?
The answer may lie in the entrenched focus on standards and the role of IT audits in combating cyber risks. While standards are important, the primary focus of a conventional IT audit is to ensure that the company meets a certain predefined security standard. But relying on an IT audit alone often leads to 'checklist syndrome', with the security strategy failing to address the wider business risks, even though the demands of the standard were met on paper.
Realistically, not all hacks can or will be prevented. Hackers are increasingly playing the long game having successfully identified a network’s weak point: whether through phishing attacks designed to get an unsuspecting user to click on a link in a bogus email, or by accessing a third-party’s connected system. Therefore, organizations must take steps to identify and address their key weaknesses and much can be done to lower the risk of a hacking and mitigate the consequences of a successful attack.
The process should start with a comprehensive security assessment, conducted by an external third party. This allows management to judge a company’s central risk profile and take steps to reduce that risk. The scope of this assessment is much wider than a traditional IT audit and allows an in-depth review of the organization’s risk profile, which takes into account details of how it does business, its network operations and the type of information held by the company.
Through this assessment companies can prioritise their security needs and make intelligent decisions about what they need to do to reduce their actual risk: not just to meet an arbitrary and often inapplicable standard.
One of the risk factors the assessment will explore is the extent to which security is seen as a company-wide priority. IT security cannot be the exclusive domain of the IT team and is unlikely to be solved by IT alone. Everyone involved in using the IT systems has a crucial and often overlooked role to play and organizations should aim to foster an environment where users are alert to what a threat may look like, how to respond and who to contact to report any concerns: without fear of reprisal.
Too many organizations impose IT policies from the top, without really setting out why a particular policy is being implemented. Whether relating to the use of personal web-based accounts or cloud storage services, most users see these policies as irritating and rarely understand the connection between the new policy and any real security weakness.
It is a process that is fundamentally flawed. Users must understand the rationale behind IT policies. Only if individuals understand why restrictions have been introduced will they avoid bypassing or undermining these rules, thereby creating new vulnerabilities.
Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Careless executives or disgruntled employees represent a significant risk to cyber security, according to a poll of US companies. The Stroz Friedberg 'On the Pulse: Information Security Risk in American Business' survey found that a key challenge for companies is to strengthen cyber security from within, with 87 percent of senior managers regularly using personal email or cloud account to work remotely, placing such information at a much greater risk of being breached. The survey also found that more than half (58 percent) of senior management reported having accidentally sent the wrong person sensitive information, compared to just one quarter of workers overall.
Hackers have become very adept at manipulating people. In one case, an individual received a phishing email purporting to be from a trade publication, referring to her recent subscription order. The email, which contained a virus, was sent by somebody who had hacked into the magazine’s database and using that information for spear phishing attacks. Individuals must, therefore, be taught to be vigilant about such attacks and given the confidence to call the individual or team responsible for IT security and report their concerns, without reprisal.
Risk management professionals and senior executives can no longer depend on IT audits as the first line of defence against cybercrime. Resilience must be boosted through regular security assessment and a clear commitment to harnessing the combined strength of the entire organisation, at all levels. While cyber risks cannot be eliminated, this strategy will create a strong foundation from which to counter an emerging threat.
•Date: 4th December 2014 • World •Type: Article • Topic: ISM
To submit news stories to Continuity Central, e-mail the editor.
Want an RSS newsfeed for your website? Click here