Johannesburg, 14 Dec 2010
A tough economic year has seen the risk profile of most South African businesses sharply increasing. Unfortunately, 2011 will be no different and no less dangerous. In this article, Hedley Hurwitz, MD of Magix Integration, identifies the top 10 risks corporate South Africa will face in 2011.
1. Ineffective security posture: Businesses have not yet aligned their business and IT strategies, and all too often they function as separate entities. Any enterprise needs to define a holistic security posture that identifies and mitigates the vulnerabilities specific to that business. You can't adopt the same security solutions as your peers or competitors without ensuring they apply to the risks your company faces.
2. Poor internal risk management: Without insight into user activity, companies can't successfully mitigate their insider risks. Constant monitoring of activity and access is not a luxury, but a necessity as identified in the first Insider Threat survey, sponsored by Magix Integration. The survey found that as many as 71% of South African companies have discovered cases of fraud committed by their own employees over the last few years.
3. IT security still a grudge purchase: Security purchases are not simply a must-have to keep malware and hackers out, it is an investment that can protect your company's reputation, prevent productivity-sapping downtime and keep revenue flowing.
4. Security disciplines not integrated: Security should be seen as concentric lines of defence that add more comprehensive security solutions to more valuable assets with each new layer. It's not a package you buy, install and forget.
5. Insider threats accepted: Companies are inclined to buy into the need for perimeter protection, but neglect the serious threats posed by malicious and even careless employees. Today's malware can enter a system via various mechanisms and give criminals access to the company's entire network.
6. Identity theft: Identity management is a complex issue that most companies try to avoid. By not addressing the issue, identities and passwords are lost or stolen and systems are open to exploitation.
7. Lack of mobile and endpoint protection: The market is more aware of mobile and endpoint risks, but many companies are still neglecting to close this enormous vulnerability. Your company is only as secure as the smartphone your director left at the airport.
8. Unprotected networks: A lack of knowledge about the number and configuration of network devices in the organisation also leaves gaping holes. Often, in order to boost their productivity, departments or small teams will set up a wireless network without permission and without following the correct security protocols.
9. Corporate governance ignorance: Ignorance of basic policies, such as who can access what, which hardware and software configurations are allowed and what users can change, install or configure is dangerous. Often these rules are printed on a piece of paper tucked into corporate rulebooks that nobody except an auditor reads.
10. Lack of information control: The data in most corporations is a mess, with multiple copies of documents in various places with no view of who has what, where. Uncontrolled information easily finds its way into the wrong hands.
“Good intentions and a password no longer protect your data,” states Hurwitz. “Effective security relies on the appropriate access controls and authentication mechanisms combined with the intelligence to determine whether a person has permission to be doing what they are trying to do, and to raise an alert if not.”
Share