The IT threat landscape is becoming increasingly complex and best practice assessments are a good way to map strategy and measure the progress of IT security, an industry expert told the Dimension Data Executive Forum on information security held in Bryanston yesterday. The forum was organised by Dimension Data and ITWeb.
Gary Middleton, GM for security solutions at Dimension Data, told delegates that both policy and technology are needed to combat IT security threats.
"Corporate SA has made good strides in certain areas, but, overall, needs to do a lot more to manage and mitigate risk to an acceptable level. It is our belief that risk can be mitigated to an acceptable level with the right combination of management systems, policies and technology," he said.
Middleton claimed IT security still seems to be a knee-jerk reaction among South African organisations, and urged companies to formulate a plan that would allow them to implement a security strategy over time.
Organisations, he said, need to realise that top threats are constantly changing and are getting more sophisticated. Currently, the top three threats are perceived to be viruses, the misuse of IT resources and spam.
Threats such as phishing, he pointed out, have not yet made the top of the list, but are expected to feature as top threats in the near future.
[VIDEO]Among the challenges faced by IT departments, Middleton said, is that it is often difficult to justify return on investment on security spend, while senior management is mostly not educated about IT security and considers it an "IT department problem".
Legislation governing IT security is also complex, but increasingly important, he said.
One of the ways of dealing with IT security threats is best practice assessments, Middleton stated.
He referred to Gartner`s view that best practices can help ensure an enterprise is doing the right things, while benefits can be gained from the education that comes from researching and understanding what those best practices are, and using quantitative maturity frameworks, security managers may compare themselves to the commonly observed maturity levels of their peers.
He highlighted that studies have found that organisations that employ best practices generally suffer more security-related incidents, but less downtime and fewer financial losses, mainly as a result of closer measuring and monitoring of threats.
According to the technology recommendations in the Benchmark Report, Middleton said, organisations are urged to deploy host intrusion protection on critical servers and inline intrusion prevention systems on Internet connections and other "untrusted" zones.
"Roll-out two-factor authentication for critical business systems, and consider using hard disc encryption and two-factor authentication for executives," he said, adding that organisations should also consider "scan-and-block" technology to combat security threats.
In terms of business recommendations to safeguard against threats, Middleton said the report urged the formalisation of security structures and the compilation of a detailed three- to five-year information security strategy.
Share