A call to action on security threats
Complacency is the real threat to IT security, warns Jon Inns
One of the biggest threats to IT security does not come from hackers, malicious code or employees with a grudge. It comes from complacency – the belief of organisations that counter-measures that were applied in the past are enough, or simply that security breaches are something that happen to other companies.
Threats are getting more advanced, as we know.
The IT threat landscape is one that is still constantly evolving. Organised criminals are getting bolder, and malware more sophisticated. Attackers are continually finding new ways to circumvent security infrastructures and controls to get in to the network, accessing data and secure information.
Complacency is often why organisations find themselves in difficulties. The consequence of taking a nonchalant approach to protecting IT infrastructure is that once they have realised a threat has emerged and something needs to be done, they are running to catch up.
Sometimes, complex system changes remain untested that should be subject to careful change management processes and procedures.
Even more daunting, organisations have not considered the impact a breach would have on the business, and have not prepared themselves or their change processes in a way that is going to allow them to respond quickly.
Security breaches are inevitable. Given the way that threats are developing, it is a fair assumption that most organisations will experience a security breach at some point, if they haven't already.
The correct way to deal with this is to acknowledge the likelihood, analyse the probable consequences and formulate a response.
Companies that remain complacent will continue to do what they have done in the past – ignore the issue. However, new laws are applying increasing pressure to organisations that take this attitude.
Furthermore, it will only delay an unavoidable incursion which will have a significant and probably uncalculated impact on the businesses.
Historically, there has been a fair bit of burying of heads in the sand. Leaders, particularly in certain sectors, have held onto the belief that IT security is not so important to their businesses and have deprioritised it.
They don't think they have any data worth stealing; as a result, they have been slow to react to IT security developments and issues.
The importance of security often only becomes apparent after a breach has occurred and sensitive data has been exposed.
On the flip side, there have also been industry sectors that have prioritised security and have been very proactive in their approach, but this is unsurprisingly more typical in the obvious high asset value industries, such as finance and central government where there are tangible consequences associated with data loss.
Good security practices need to be led from the top. The only way forward in banishing complacency is ensuring that IT security gets executive attention. It is no good having the engine room concerned with security when the boardroom does not understand it.
IT personnel cannot make a difference to the posture of the company – only management can do this – so buy-in and participation is essential at the highest levels.
The security programme for your customers should be developed in light of a close analysis of how security is structured within the organisation, identifying weaknesses and developing solutions to address them.
In addition, the actual IT users must be considered alongside the technical controls of the security itself. Executives must be prepared to tackle the problem and be willing to assign resources, people and budget to make it happen.
Jon Inns is director of product management at Accumuli Security