deepagopi2011 - Fotolia
To make sound cyber security investments, organisations need to understand the value of their data, where it is stored and where it has been sent, according to an industry expert.
“They must also have a firm understanding of the regulations and legislation that may affect their data as well as of actors, so we know who we are trying to protect ourselves against,” said Michael Dieroff, managing director of training and consulting firm Blue Screen IT.
“Look at regulations and legislation to identify what you absolutely have to do to avoid penalties for non-compliance with the laws and use current technology to help identify the real risks to the organisation and where new investment needs to be made,” Dieroff told Cybercon 2017 in Plymouth.
“Use the logging features of current systems to tell you what is actually going on in your IT environment on a day-to-day basis and identify potential issues and risks, such as phishing.”
But Dieroff said the most important thing when it comes to security budgets, is for organisations to be honest about their true security posture.
“Failure to be totally honest about your real strengths and weaknesses will result in failure to protect yourself appropriately,” he said.
Best-practice guidelines and industry standards are another useful way for organisations to identify what security technologies, systems and controls are the most relevant and effective for their industry and business, he said.
By failing to do this, said Dieroff, organisations will be tempted to buy all the new security technologies on offer in the market, but many of these may not be appropriate for their particular business and may cause more problems than they solve.
“If you run a fish and chip shop, security is really about keeping your batter recipe safe, so investing in any security technologies that are not needed to keep that data safe is a waste of money,” he said.
Read more about security spending
- While it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat landscape, says IISP.
- Around 60% of decision makers are reporting that their organisation’s cyber security is currently financed by the central IT budget, while half of those think it should come from a separate security budget.
- Data protection is to remain a key focus for IT security investment for European firms in 2017, but the emphasis is on cloud and mobile security as companies move to these technology platforms.
A fish and chip shop does not usually need things like central management and access control, he said. “Security investments need to guided by what the business actually needs.”
Dieroff warned business against the temptation of buying “black boxes” to plug into their networks that suppliers claim will meet all their security needs. He also cautioned against claims of products being “military grade” or “government proof” and even “impervious to key loggers” or “always on VPN”.
Finally, it is important to make employees aware of the reasons behind each security policy and technology and to listen to their feedback, he said.
“Find out what employees are seeing, what they are experiencing with security controls and how they are experiencing business as usual with those controls in place because if their experience is not positive, they will not participate and find ways to go around. Using this approach, organisations can identify what their actual needs are in terms security and compliance, said Dieroff.
“The first important step is attending events like Cybercon to increase awareness around security topics by listening to experienced speakers from around the world, and by being aware of your organisation’s security posture and needs,” he said.
“The reality is that it takes a lot of time and effort, as well as continual research, to stay at the tip of the spear and, hopefully, ahead of your attackers.”