A fundamental shift has occurred over the past few years that makes the threat of cyber crime a growing concern. While the search for causes and cures is endless, several key facts stand out.
First, there is increasingly more consumer and business data online, which is necessitated by the requirements of on-demand business. And for good reason - organisations of every size and description are automating the way they do business to cut costs, speed service delivery and reach customers, suppliers and partners more easily.
Second, despite the costs of fighting cyber crime, the Web is still the best friend businesses and consumers ever had. We`re not going to scrap the Internet because of cyber crime, but we do need to get much more serious about protecting our information. Recent surveys have shown that consumers are becoming wary of doing business over the Internet. This indicates that consumers are losing trust in the ability of business to protect their private information. As a result, the implications for businesses striving for growth via the Internet and e-commerce are serious.
And third, too many organisations are still in the dark ages compared to the cyber criminals they are up against. The fact is today`s cyber criminals, who often have inside experience, are outsmarting us far too often.
The real issue
Why are the cyber criminals becoming so successful?
The real question is: Who is more likely to be successful - a full-time hacker searching for a security hole into a company`s systems, applications and data, or a developer, under pressure from the business to get the application out quickly, with a thousand other things to do besides plugging every conceivable security hole?
Consumers are losing trust in the ability of business to protect their private information.
Alkesh Patel, principal consultant of security and privacy services at IBM SA
It`s not that we don`t have the security tools and smarts to manage the problem. The real issue is that most IT organisations are too stretched to devote the resources to keeping up with the cyber criminals - let alone get ahead of them. Worldwide, organisations spend too much time reacting to security breaches, rather than preventing them from happening. In this era of criminal-based security attacks, companies should not rely solely on traditional reactive security methods.
Many companies struggle to co-ordinate a security programme that addresses the range of dynamic elements typically found across an enterprise. The problem is that security traverses the entire organisation, from strategy to operations, systems and infrastructure. For the security objectives to be achieved, it is imperative for both business and IT to participate in a holistic, fully integrated manner.
A secure environment is essential for businesses to deliver on their brand promise to customers, to take advantage of growth opportunities and provide innovative products and services. Security management must be integral to business strategy and provide a thoughtful balance between opportunity and exposure.
Staying ahead
What does a holistic and integrated approach to security actually entail? Organisations need to consider each of the following eight security categories when defining their required programme and capabilities (which includes people, process and technology aspects within each category):
1. Governance: This is the foundation of the information security programme and ensures that information security is aligned to the business goals and needs. It provides the management framework that drives and controls the implementation of information security capabilities in the organisation.
2. Privacy: The capabilities to identify, limit and protect information containing data on identifiable individuals.
3. Threat mitigation: This includes infrastructure controls to minimise the malicious harm code and cyber-criminals may do to the enterprise. It covers monitoring, incident response and vulnerability management.
4. Transaction and data integrity: The capabilities to validate and protect transactions and data in the enterprise to ensure critical data is secure, complete, accurate and available.
5. Identity and access management: This is the cornerstone of information security, encompassing how resources are accessed so they can be protected from unauthorised disclosure or modification.
6. Application security: This addresses security within the solution development processes. It includes capabilities to protect the business from fraud, reputation loss, financial losses and regulatory violations. The overall aim is to maintain availability, integrity and confidentiality.
7. Physical security: The capabilities to prevent unauthorised physical access, interference or damage to information assets.
8. Personnel security: The task of ensuring suitable and trustworthy individuals are hired and a safe and secure working environment is maintained.
If organisations are to combat the onslaught represented by cyber criminals effectively, they need to determine: what security capabilities they need to meet business requirements; how to tie these capabilities into requirements; what levels of risk are acceptable; how to prioritise security initiatives; where to invest; and how to define roles and responsibilities to support a comprehensive strategy. Only then will they be able to stay ahead of the game.
Share