Security Think Tank: Flame shows why risk management is a business essential

What can enterprise learn from initial analysis of Flame malware?

The discovery of Flame marks new heights in targeted malware. The lengthy period for which it went undetected and its sophisticated capabilities have clearly concerned IT supplier and user communities alike. But it cannot have taken any IT professional by surprise.

With cyber criminality increasingly focused on monetary reward, espionage and incapacitation, threat mitigation and prevention have become top concerns for IT managers, and risk assessment and management not simply a security preoccupation, but a business essential.

Specifically, it appears Flame's objective was the harvesting of data. Unsurprisingly, "data management, quality and protection" consistently features in the top five operational goals and IT strategies, respectively, for Corporate IT Forum members (Strategy Survey 2012).

The Forum’s latest Information Security Service survey revealed almost all participating organisations had prioritised maintaining compliance with the UK Data Protection Act, and were supporting their work with implementation of data protection, retention and loss prevention strategies and formal IT policies containing acceptable usage policies (AUP) for equipment and services and controls around data – including portable computing and removable media controls, and guidelines for personal use of social networking sites and technologies. 

PCI-DSS compliance, too, has intensified enterprise evaluation of data security systems and processes.

But whether you take the view that businesses are challenged to keep one step ahead, or believe they will forever be playing reactive catch-up, Flame is unlikely to be the ultimate or final iteration of cyber attack. It is vital, however, not to lose sight of the fact that most attacks are still relatively simple to initiate – "common criminals with the right tools", to quote an industry specialist – and the majority are avoidable through simple controls.

Forum members understand that security policies are only as good as the enforcement and education processes supporting them. They also believe that the sharing of information and experience is key to combating current and future threats. They are meeting in July to deliberate the development of security policies and welcome external input to ensure best practice is deployed.

Dani Briscoe is research services manager at The Corporate IT Forum




Read more on Hackers and cybercrime prevention