alphaspirit - Fotolia
Understanding the business is key to moving away from traditional perimeter-based information security, according to independent security consultant Brian Honan.
“A 21st century approach to information security requires an understanding of the business and the way people in the business work,” he told the (ISC)2 EMEA Congress 2016 in Dublin.
The threats are real, said Honan, and include data theft, hacktivism, industrial espionage and even insiders who are increasingly being targeted by attackers, rather than operating systems or applications. A new business-linked approach is needed because traditional security is failing, he said.
But unfortunately, very few information security professionals read business plans or annual reports to know where the business is heading, whether it plans to expand into new markets or whether it plans to use contractors, all of which should be included in the security strategy, said Honan.
One way for information security professionals to get to know the business better, he said, is simply to take a half an hour over lunch to talk.
Honan said a lunch discussion with members of the sales department at one company revealed that they all avoided using company email because the VPN connection was difficult to use and slow.
“They were forwarding all their emails to their private webmail accounts so they could access their emails quickly and easily, but they were also bypassing all security controls,” he said.
As a result, the security team was able to go to the board with the support of the sales team to get approval for a secure cloud-based email system that had all the security without all the hassle.
“Often, a sandwich and a cup of coffee can go a long way” in enabling security professionals to identify potential risks and find secure and easier alternatives, said Honan.
“It is essential to find out what key systems people in the business need, understand fully where all the key data resides, and then conduct risk assessments based on that,” he said.
Next, organisations need to establish clear polices that are appropriate for the business and how it works, said Honan.
But he cautioned against copying security polices from online sources, citing a government department that did so without realising that the policy contravened its own data protection rules.
Encryption is also essential, said Honan, pointing out that with the value of data being greater than the cost and encryption being easy to do, there are no more excuses for failing to add this layer of protection.
As more businesses move online and to the cloud and workers become increasingly mobile, identity and access management is crucial for data protection, said Honan.
“Ensure that your company is using good, strong passwords and two-factor authentication wherever possible, which means it is unnecessary to change passwords frequently,” he said.
Security awareness and training is another essential security basic, said Honan, but it must be aimed at explaining to people in the business the reason for each security control, how the controls protect them and the business, and how they can engage with the security team when necessary.
“Show how security is not an inhibitor but enables them to work in safer, easier ways in the same way that brakes on a car enable people to travel faster in the knowledge that they can slow down and stop when necessary,” said Honan.
Ensuring systems are patched and kept up to date, and that the business has monitoring systems in place and the ability to respond, are also essential, he said.
“The most common causes of data breaches that we see are unpatched systems, weak passwords and a lack of monitoring and response capabilities,” said Honan.
Finally, it is important to ensure antivirus systems are working and up to date, he said. There is no point in worrying about zero-day attacks when they are extremely unlikely to target most companies, while leaving the door wide open for the vast number of low-level and automated attacks that any good antivirus will catch, he added.
Breaches are inevitable, said Honan, and with mandatory breach reporting to be introduced under European data and network protection requirements, it is best to be prepared.
Honan ended with an appeal to information security professionals to engage with their peers and share information about cyber attacks and data breaches.
“We are not good at sharing information,” he said. “I still don’t know, for example, what was the root cause of the recently disclosed Yahoo breach in 2014. We need better information-sharing.”