What Issues Should Network Security Decision Makers Focus On ?

Posted by Geraldine Hunt on Thu, Apr 24th, 2014

The threat landscape is becoming more serious and decision makers must focus increasingly on protecting their critical assets through improved training of employees, better security procedures, and improvements in their security technology. In this post we highlight a number of important areas that IT decision makers need to focus on to improve their security posture. 

1. UNDERSTAND THE SERIOUSNESS OF THE THREAT LANDSCAPE

Many decision makers, particularly those in smaller organizations, may not appreciate just how serious the threat landscape has become.  For example, the Verizon 2012 Data Breach Investigations Report (DBIR ) found that in 2011, 58% of data theft was tied to activist groups, and that 81% of all breaches used some form of hacking to generate the breach – findings about which many decision makers may not be aware. 

Moreover, Verizon’s researchers believe that 2014 will see what the organization calls “low-and-slow attacks” focused on authentication attacks and failures, social engineering and various Web exploits.  It is important to note that the threat landscape is changing rapidly, with hacking and malware offering a much greater likelihood of generating a data breach than was the case when many security systems were deployed. 

2. UNDERSTAND THAT CORPORATE DATA AND FINANCIAL ASSETS ARE EXTREMELY VALUABLE

Decision makers must also understand just how valuable their data is to a hacker or other cybercriminal.  For example, US credit cards sell for US$2 to US$6 on the black market, while credit cards in the UK sell for US$4 to US$6 each.  Access to consumer bank accounts will sell for 5% to 10% of the current cash balance.  Trade secrets can be worth millions of dollars.  The bottom line is that customer data, intellectual property, and access to corporate financial accounts is extremely valuable to cybercriminals – the value of these data assets must be taken into consideration when making decisions about how much to spend securing these assets. 

3. USERS NEED TO BE TREATED AS THE FIRST LINE OF DEFENSE

While much of the discussion around security focuses on the technology and systems that must be deployed to prevent malware infiltration, data breaches, DDoS attacks and the like, decision makers must realize that users are truly the initial line of defense in any security system.  Users must be appropriately trained to be suspicious of suspect emails or social media posts and not to click on links contained in them unless they are certain of their validity.  Users need to be trained not to bring an email message out of a spam quarantine unless they are sure that the message was placed there improperly.  Users may be trained about the proper use of social media and other tools that could compromise corporate security in some.  In short, users are a vital element in any security system.  They cannot be the final link in the security chain, since security systems are essential to maintaining an adequate defensive posture, but users are certainly an important part of a sound defense.

4. POLICIES FOR MANAGING USE OF APPLICATIONS AND PLATFORMS ARE OFTEN DEFICIENT

All organizations that seek to protect their users, data and networks from malware and other threats must establish detailed and thorough policies about acceptable use of all of their online tools:  email, social media, other Web 2.0 applications, collaboration tools, instant messaging, smartphones and tablets, flash drives and simple Web surfing.  Successfully addressing these issues must begin with an acknowledgement of the threat landscape and the corresponding policies about how tools will be used before technologies are deployed to address the problems.  That said, most organizations have not created detailed and thorough policies for the various types of messaging and collaboration tools they either have deployed or allow to be used.  

5. DRACONIAN CONTROLS WILL NOT WORK

Decision makers must realize that simply imposing prohibitions on the use of any tool not implemented by IT is unlikely to be effective, since many users will employ them anyway – this is particularly true for employees who work from home periodically and/or use their own smartphones, tablets or applications to do their work.  Even if these controls are effective, they may be counterproductive.  For example, a policy prohibiting the use of social media tools like Twitter or Facebook may seriously impact a marketing department’s effectiveness at building the corporate brand; similarly, not allowing the use of unauthorized file transfer tools or personal Webmail may prevent users from sending large files to prospects or customers in a timely manner.