'We are failing at infosec'
Local companies are failing at information security because they follow a tick-box compliance approach, said Reino Mostert, a security analyst at Telspace Systems.
Mostert, addressing a delegation at ITWeb Security Summit 2015, in Midrand, yesterday afternoon, noted massive hacks have recently made headlines, such as those against Sony and eBay, and South African companies are just as vulnerable.
Mostert said this is because there is no such thing as a perfect security solution, and adequate defence solutions do not exist.
The more complex a company and its systems - and the more staff it has - the more vulnerable it is, he noted. The hardest penetration test Mostert has done was at an SME, which only had five servers and 15 systems, but all of them were patched and the anti-virus was up to date.
By comparison, Mostert said, the average enterprise can be invaded within two hours. "It's just the scale of things."
However, there are aspects that enable large enterprises to become more security-efficient, he advised. These include:
1. Only define policies that can be enforced. Many companies have password policies, but staff end up using entry keys such as "pasword1", because it is easy to remember and complies with the policy. Yet, it is easily hackable.
2. Make the path of least resistance the default one. Companies want to enable the business and not be hindered by long passwords or the inability to use file-sharing services. Tricks such as making it a policy for passwords to be sentences, such as "Ilovemywifesue", ensures password complexity but does not hinder business.
3. Make sure the company knows what servers it has, and do not keep this information in a spreadsheet.
4. Use automation to ensure cumbersome processes, such as dealing with help-desk tickets, are resolved.
5. Do real security, not just compliance. Don't just tick the box that says the door has a lock when the key has not been turned. "Measure actual security by whether you can get in or not," Mostert warned.
Security is an IT issue, and needs to be done properly as an IT process, without hindering business, he concluded.