Many companies are still following outdated principles when it comes to information security.
So says Websense chief information security and strategy officer Jason Clark, speaking at the ITWeb Security Summit yesterday.
"It is costing us way too much to protect information and costing the bad guys way too little to break in," said Clark.
Websense, which is based in San Diego, California, specialises in security software, protecting organisations from cyber attacks and data theft.
According to Clark, innovative thinking is needed when it comes to data security. "Using outdated methods will help you be compliant, but it won't keep you secure."
He says the number one problem most companies face in terms of data security is budget. According to research by Websense on companies' information security spending, 80% of budgets are spent on security measures such as firewalls, IDS, endpoint security and IPS. Of that money spent, only 30% is effective in securing the business.
One of the tactics employed by Websense is turning all its staff into volunteer security staff, says Clark. "We ask them to report anything out of the ordinary - a weird phone call, a suspicious e-mail, a colleague doing something dodgy; anything that doesn't seem right to them. The best one of the week gets awarded with $100."
Going back to the user and asking them the right questions is a tactic for next-generation security, says Clark.
According to Clark, the most important aspect when it comes to information security is threat modelling. "Break down exactly what is your threat - this is how the bad guy is going to get in and this is how he is going to get data out," explained Clark.
Clark suggests mapping the threat according to seven attack stages (recon, lure, redirect, exploit kit, dropper file, call home and data theft) to enable real-time protection. "Next-generation security is about real time. People are still investing too much money in passive security."
Following recent attacks can also provide valuable information on protecting your data. "Find out what methods and techniques were used and apply that to your own security model."
Share