Businesses need basic security controls

Many business customers are simply not doing enough to protect themselves against data security incidents, warns Garry Sidaway

Security breaches happen every minute but it's only the high-profile organisations hit by attacks – such as Adobe, Target and eBay – that make the headlines.

Attacks are happening far too often and enterprises are not doing enough to protect their data. Malware infestations, though, are often down to businesses missing basic controls such as anti-virus and effective vulnerability life cycle management.

To make matters worse, half of the vulnerabilities detected during scans have had patches available for at least two years, some for more than 10 years. Yet businesses had not installed them on even their more critical assets.

Many organisations are falling behind, although they could save time and money if they took basic measures to minimise their risk. And the threat landscape will constantly change and develop; there is a requirement for more advanced controls built on top of a strong foundation.

At the very least, assess the biggest risks first, validate and implement the right controls, and ensure they are actually implemented as well as tested regularly to ensure effectiveness. This includes maintaining configuration, patching, and vulnerability mitigation.

Vulnerability scanning is one of the most important basic measures. However, too many organisations aren't doing them, even though automated options are available.

These scans can be analysed to produce insight into how attackers might gain access to critical assets.

Vulnerabilities also need to be assessed against the risk to the business so resources can be allocated in a proportional manner.

Incident response planning is also ignored by most firms, yet it is vital for minimising the impact of a breach. A well-defined and regularly updated plan, recognising that security incidents will happen, means organisations will be better prepared.

Organisations collect a wealth of data but most don't have the resources or skills to analyse it. Too often we have found that logging and SIEM is a tick-box exercise; no analysis or correlation of logs takes place.

Tracking and correlating logs regularly and consistently can help organisations manage risk and understand attack patterns.

More companies are however outsourcing support to a managed security services provider to help them with these issues.

Garry Sidaway is global director of security strategy at NTT Com Security