Ninety-six percent of all reported breaches could have been prevented if existing company policies and controls had been followed, said Steve Jump, head of corporate information security governance at Telkom SA.
Jump's comments are in light of the recent security breaches witnessed over the last six to nine months.
Delivering his presentation, titled the "The Science of Security Information", at ITWeb Security Summit 2016, at Vodacom World in Midrand yesterday, Jump said most people don't realise that information security doesn't just happen.
"A lot of people have come up to me and said but I have done all the things you told me to do, but I am still in trouble. Am I just unlucky?"
He explained that an information security event or incident cannot be described as just bad luck. "Luck and information security do not play nicely together."
According to Jump, organisations tend to pin their security breach on bad luck or Murphy's Law.
Murphy's Law is just an excuse that organisations may use if someone asks why things went wrong. In fact, what this means is that the organisation didn't prepare adequately for an anticipated situation, he stated.
"In the information security space, the whole point is that we should be anticipating a range of possible predictable happenings.
"We keep saying when the bad people try to bring down our systems or breach our data there is some degree of expectation that they will be doing this, so why should we not be preparing for it?"
The security tools needed to keep businesses safe are all there, and there is no shortage of people offering companies a solution to their security problems. However, just having security systems in place doesn't mean businesses are cyber secure, Jump continued.
"You may think you are hiding behind certain security umbrellas and they are keeping all of the bad stuff out, but in reality, in most of the reported security breaches it was established that the security breach that made the headlines did not happen the day before but rather had been happening for more than a year before it made the headlines."
Jump further advised that before protecting an organisation, you have to ask: what information are you actually protecting?
Share