Targeted controls are the key to effective information security, according to global business consultancy Protiviti.
The firm's managing director and global lead of the IT governance and risk management practice, Jonathan Wyatt, said too often businesses focus only on keeping intruders out.
“But they lack any clear vision of what they are trying to achieve or any real strategy for doing so,” he said.
Many businesses believe that they are powerless in the face of sophisticated, well-resourced cyber attacks.
“But if businesses are clear about what information assets and systems really matter, it is not that difficult or costly to develop a security strategy and find the right tools to support it,” said Wyatt.
The first thing businesses need to accept is that it is impossible to protect everything to the highest level all the time, he said, but also that they do have valuable data and that keeping it safe is achievable.
“The biggest wastage we see is where security systems are rolled out across the whole enterprise at huge cost,” said Wyatt.
“Typically they are not fully implemented which means they are not providing the level of protection in critical areas that they need to, but are providing general protection in a lot of areas where it is unnecessary."
Instead, Protiviti suggests that businesses should better understand their risks and risk appetite to enable them to deploy targeted security controls for smaller, well-defined threats.
“This approach ensures that businesses are able to provide effective, meaningful protection for highly valuable data and critical systems at a relatively low cost,” said Wyatt.
“This approach recognises that while it is still important to do the security basics well to reduce overall risk, the basics alone will not provide adequate protection against the biggest threats,” he added.
Businesses must take control of their IT landscape
According to Protiviti's managing director and European head of security and privacy IT technology consulting, Ryan Rubin, while attackers seem to have the upper hand because they have to find only one vulnerability to exploit what is an ever-expanding attacks surface, businesses can gain an advantage by taking control of their IT landscape.
Read more about risk-based security
“They own their IT landscape and can be proactive about controlling what goes on in their environment in the same way as airports control the movement of passengers from check-in to arrival, with various control points along the way,” he said.
But, according to Rubin, most businesses are not thinking about how to control attackers once they have breached perimeter defences or how to stop them from stealing valuable data.
“Office fire drills are part of our culture, but a lot needs to happen in the information security world before preparation for data breaches and testing of response capabilities becomes embedded in business culture,” he said.
Rubin added that this is why is it important for businesses to understand the potential impact of breaches on data assets and systems to enable them to prioritise their IT defences.
For example, during mergers and acquisitions, it would make sense to deploy something like a data leakage and prevention system to cover those employees involved in the transaction during the critical period only.
“It is easier and more cost effective when security systems are applied to a particular use case rather than attempting to provide a general level of protection for everyone all the time,” said Rubin.
Similarly, it is more effective and less costly to deploy security monitoring only for specific actions by privileged users on critical systems rather than for all employees all the time, regardless of their role.
Golden opportunity to review information security
Protiviti believes that information security is now at a stage that is analogous to the position F1 motor racing was in during the 1980s.
“Being an F1 driver was a dangerous job and it took a few serious accidents to change the way F1 motor racing operated; cars were re-engineered and safety procedures were revised to make it one of the safest sports in the world,” said Rubin.
“In the information security world, we have a golden opportunity to take a step back before there are any truly devastating incidents to revisit the way businesses operate and get better control of our information assets and systems,” he said.
Despite the challenges, Wyatt said regaining control is possible by adopting a targeted approach to reduce the number of things that require immediate attention.
“If businesses pick their battles more carefully, have a strategic battle plan, and invest in fewer security systems that actually do what they need them to do, there is a good chance of success,” he said.
Rubin predicts that future information security systems will be far more targeted with only specific actions or combinations of actions and factors, such as job roles triggering alerts and more detailed investigations.