Stephan Berner, CEO of help AG, outlines some of the critical initiatives regional organisations can adopt to deal with the ever-changing threat landscape.
With the prevalence of data loss and the proliferation of Web 2.0 applications, mobile computing and the rise of sophisticated, blended attacks, businesses–regardless of their size–are struggling to keep up with the evolving threat landscape. How can companies in the region mitigate these risks?
I have a saying, ‘there are many people that want to take a shower without getting wet’. If you want to do something – do it right. Yet organisations today fail because they don’t really know what they are doing due to the lack of visibility when it comes to their information security and if you cannot see, you will fall into a dark hole.
Data Loss Prevention, for instance, is a big hype these days, but everyone is misusing the word and it is considered an IT project currently by the IT department of many organizations. I am faced every day with the fact that many people still do not take information security too seriously but when it comes to information security there is no half-baked solution – do it right or not at all. Given the fact that thread landscape is evolving, Information Security as a subject needs to be taken much more seriously across all layers within the organisation, starting from the management level. You can only control and mitigate what you are aware of. The lack of visibility into confidential data coupled with missing policies, procedures, and processes lead to critical situations and severe security incidents. Visibility of information and data is the key, yet in most situations today there is visibility in point-to-point communications but not the entire communications.
Organisations need to assess, manage, and treat the risks as per their aligned business and IS strategy. This can be achieved by introducing and maintaining an Information Security Management System according ISO27001 and focussing on the technical security controls as well.
To mitigate the risk you need to have right visibility. What we see with our end customers is a huge lack of security procedures and processes. If a security-related incident happened within customer’s organisation today, in most cases, there is simply no incident handling in place. The customer might discover there has been an attack but nobody knows what the next steps should be.
A broad spectrum of IT people, including those close to security functions, appear to have little awareness of key security issues impacting their organisations. How important is security awareness and education?
As a matter of fact, in information security we are always late! This has to do with the dynamic and changing environment. Therefore the security awareness and education became a necessity.
Generally, employees are good network citizens. Yet it is the employee behaviour that is the primary source of costly data breaches. Speaking of Data Loss Prevention, more than 75% of the incidents are related to employees’ unintentional mistakes driven by the lack of awareness and education. Actually only around 10% of data loss is related to malicious codes! These good network citizens, without having any bad intentions, compromise information security of their organisations.
The only secure system is the one that’s unplugged, turned-off and locked in a safe. Since it’s not practical to leave our systems turned off we need to understand the risks and prepare ourselves to defend them. Preparation begins with understanding and that’s where awareness kicks in. The human factor is the biggest threat to any information system. IT security heads should raise awareness within their organizations themselves, train and educate everyone who somehow interacts with computer systems and information, and propagate at least the basics of information security.
Any implementation of a security policy should be followed up with an awareness campaign for the users especially within a big enterprise where daily interaction between IT and the users may not be achievable. Most users will accept the limitations implemented in a security policy when they understand why but if they don’t understand why, it is easy for them to forget or neglect it. An awareness campaign doesn’t need to be an expensive or time consuming exercise. As an example, one of our clients is promoting the five best practices of the security policy by a centrally controlled screen saver, which means that it can deliver the message to all employees in an undisrupted and easy communication channel.
What are some of the challenges related to new opportunities such as cloud, social networking and mobility? Do you think existing security tools can deal with the risks posed by these new emerging technologies?
To me social network and mobility are not really new opportunities but rather a part of our lives already. People have been using Facebook, for instance, for a long time already, same with the iPhones and Blackberries. However, when it comes to applying the right security levels organizations are reluctant to enforce them. It can either be because they are not seen as user friendly or too complex to manage, which in reality is not really the case. Actually most of the available solutions, especially for application-based requirements follow the concept of simplicity, which is the reason why Palo Alto is becoming more and more successful.
Security tools are always available and capable to deal with the new risks, it is the organisations that are not. Usually if you look into the kind of customers we’re dealing with we always have exceptions like VIP users and VVIP users where the common pitfall is that security policy is not applied to all individuals in the same way. For example, VIP users may be exempt from the policy because IT security managers are reluctant in enforcing any controls on these individuals. However, these people now become a great risk to the organisation especially because their user profile typically has a very extended access to information. For example a CEO of an organization holds a lot of information and should probably be the one in the organisation with the least access, however, often he is completely exempt from controls. At the end of the day this puts the organization at risk as well as the CEO.
Do you think currently IT security regulations and standards are adequate to keep pace with the fast changing threat landscape?
These standards are either international like ISO27001 or local such as ADSIC (Abu Dhabi Systems & Information Centre). Before anything these are frameworks that help enterprise customers and government entities establish an organisational and technical baseline. The standards are something, which caters for most of the requirements coming from the market, they do not dictate to the organisations how they should do what, it simply assist in what needs to be done.
These standards are going through revisions to handle some of the changing threat landscape. They are definitely not as dynamic and they shouldn’t be as dynamic as the IT industry itself – if you build a house you do it with an objective to live in it for years and not for months. Dr Angelika Plate, who is the Director of Strategic Consulting at Help AG is also the chairperson for Standard Committee (SC) 27, which describes the Information Security Management System (ISMS) and is actively involved in developing and revising the standards, so we have pretty good understanding in that business consultancy market segment. Typically it takes 3-4 years to revise a standard. Of course, if you compare it to the fast changing threat landscape it is not going to address all security threats, but it never has been developed with this purpose in mind because it is a framework and this framework going to make sure how to manage customers information security whenever the incident happens. The international standard wasn’t designed to be technical in nature on the first place. ADSIC, however, is much more technical.