360 degree view of risk, compliance
If organisations are to mitigate IT risks, they must have a 360 degree view of risk and compliance within the organisation.
So said Michael Aminzade, director: delivery for EMEA and APAC at Trustwave, in a keynote address at the ITWeb Governance, Risk and Compliance 2014 Summit at The Forum, Bryanston, this morning.
He revealed that this can be achieved by having a six-pronged approach focusing on management and governance; policy and procedure; security maintenance; technical controls; physical security; as well as business strategy.
On management and governance, said Aminzade, organisations should ask themselves if senior management's level of involvement is defining the organisation's level of risk and if there are necessary disaster recovery solutions in place.
Regarding policy and procedure: "Ask yourselves; do we have the structures in place to enable employees to report security incidents; and are we fully aware of our legal responsibilities?"
For security maintenance, he said, organisations must be able to test their business-critical applications and systems and must also have a change control structure in place.
In addition, enterprises must have the necessary technical solutions and controls in place to prevent unauthorised access to their systems and data, Aminzade pointed out, adding that how the organisations monitor and control their business critical and data storage centres is also critical.
He noted, as well, that businesses must consider how they store and process sensitive data; and how they manage access to that information for either their remote employees or third-party vendors.
"You have to understand the threat landscape that you operate in," said Aminzade. "IT risk is a global problem as long as you are connected to the Internet. As long as you are connected, cyber criminals do not care where you are."
According to Aminzade, it is worrying that most businesses are taking too long before they detect that they have been compromised - the average time being 210 days for a typical organisation to detect a threat.
He also revealed that the top targets for cyber criminals are e-commerce sites (48%); followed by point of sale machines (47%); data centres (4%); and ATMs (1%).
Aminzade also noted that cyber criminals are more and more targeting mobile devices. "Since 2012, mobile malware has increased by 400%."
The weakest link for cyber criminals are employees and users, he revealed, pointing out that some of the frequently used passwords that the criminals target include Password1, used 38.7% of the users; password (34.5%); Welcome1 (16%); 123456 (12.6%); and P@ssw0rd (11.8%).
Aminzade also noted that cyber criminals are increasingly targeting today's business enablers like Web and social media; mobile and BYOD; Web and mobile applications; and big data.
He explained that the level of skills sets within organisations is not able to keep pace with the rate at which new business enablers are coming into the enterprise and the cyber criminals are looking to exploit that.
"With the increasing complexity of the threat landscape, organisations must have a holistic view of security," he concluded.