2011 featured plenty of news about high-profile data loss and cybercriminal activity. And so did 2012. Any guesses for 2013?
Some common causes emerge in all of these cases. Poorly managed infrastructure, insecure web applications, and a lack of attention to security procedures are often cited.
But how do these conditions arise? How is it possible that otherwise capable and competent organisations fare so badly?
Our work with clients around the World gives us a privileged insight in to the security infrastructure of numerous organisations, from the largest to the smallest, and from the simplest the most complex. In all cases where data loss or compromise has taken place, common themes emerge.
Here then, are 7 significant warning signals to look out for. Why not score yourself?
- Management belief that it’s getting harder to defend your data, and the bad guys will get in anyway if they want to. This unfortunate attitude is especially dangerous if it comes from the top of the organisation. It indicates a lack of understanding of security issues as well as a disregard for the information assets of the company.
- Internal memos stating that “security is everyone’s responsibility”. Organisations should adopt internal programmes to raise security awareness but this is a different kind of message. It says “Security is nobody’s specific responsibility”. It makes about as much sense as a team where everyone is the manager.
- There is no IT executive who can articulate the relationship between the terms “regulatory compliance” and “corporate information security”. If an exec is confused by the difference between an audit standard and the protection of valuable data assets of the Company, then the organisation is already at a disadvantage.
- A security team who are so difficult to work with that the business simply ignores them. It is an unfortunate fact that there sometimes exists an “us and them” attitude; and it can emanate from the infosec team. Security has to support the business, rather than be tolerated by it.
- A compliance project that only extends to achieving compliance rather than maintaining it. PCI compliance, for example, is re-validated once per year. But PCI DSS requires that a compliant state is maintained at all times, not just on the day of the assessment.
- Blind faith in security products. Security products are a useful and often essential part of a secure infrastructure. But it’s vital that organisations have the skills to configure, operate and react to the events that such products detect and disclose. Otherwise, they are a waste of time and money, or worse, a source of false or incomplete information.
- The use, in any compliance or security discussion, of the phrase “ticking the boxes” to describe the validation of a compliant or secure environment. This last point is included to underline all of the others. “Box ticking” suggests an attitude to security that takes no account of what is actually going on. It suggests that instead of real, practical implementation of policy, we have a discussion-based activity. A piece of paper rather than observable evidence. It pays lip-service to real security and it is to be avoided.
How did you score?
0 – Congratulations, you’re running a tight ship. In fact you’re so busy you probably haven’t even read this post.
1-4 – Security probably feels like an uphill struggle right now, but it gets easier as you improve.
5-7 – Unfortunate. Even though no box remains un-ticked, there’s still work to do.