Know Your Enemy, Know Yourself
Information security breaches are happening at an alarming rate to organizations around the globe. In 2014, one billion data records were compromised in 1,500 attacks. Sadly, many companies will fall victim to attacks, often times without even knowing an intrusion has occurred.
Why does this happen? Is it because the companies have not put appropriate measures in place to detect an attack? Hardly! In fact, it is not uncommon for companies to spend vast amounts of resources on firewalls and other technologies to protect sensitive data. However, that doesn’t guarantee security. Instead, companies often make two key mistakes: they do not know their enemy and they do not know themselves. While this philosophy is taken from Sun Tzu, the Chinese military leader in 6th Century BC, it is actually a truism that applies to companies large and small today.
Quite simply, knowing yourself–or the company in this case–provides the real means of protecting the organization from a needless breach.
The following is a sample of mistaken assumptions that many companies make on a daily basis.
“Risk assessment evaluations conducted by Digital Defense have shown that data can reside in hundreds of places, many of them totally unknown to the CIO and their security teams”
Knowing Where Data Resides
Many CIOs assume that the organization’s sensitive data only resides in a few places such as file shares, employee computers and the e-mail system. Risk assessment evaluations conducted by Digital Defense have shown that data can reside in hundreds of places, many of them totally unknown to the CIO and their security teams. This is especially true in cases of “shadow IT” where file sharing and other cloud-based services are commonly utilized. Couple this with the fact that most organizations share data with their strategic partners or other third parties, and the result is data residing in locations that that are hard to track and difficult to manage.
Protecting the Perimeter is Enough
Traditionally, IT departments have been in control of the computing assets of the organization. That is no longer the case. As a result, the more traditional methods of protecting enterprise data such as firewalls, IDS, IPS and others are insufficient. Given the growing employee use of mobile devices as computing platforms and the number of companies moving to the cloud, organizations have to increase their security reach to protect sensitive information.
Risk Assessments Are Too Much Work
Ah, the risk assessment! The bane of many a CIOs. While no one truly likes doing risk assessments, they are a necessary evil in the world of IT security. Why? It goes back to knowing where your data resides. A risk assessment helps the company recognize where data resides within their organization, who has access to it and with whom it is being shared. It also works to identify critical systems that need an extra level of protection.
Annual Testing is Enough
It’s that time of year–time to check that box and report that annual vulnerability scans or penetration tests have been completed. If this sounds like your organization, you may be in jeopardy of a breach. Just as early detection is important to the health of our bodies, it is also important to the well-being of an organization’s network security. To reduce the likelihood of breach, it is imperative that regular assessments be conducted throughout the year to address any new vulnerabilities that could threaten the ongoing operations of the organization.
Compliance Equals Security
It is important to appreciate the benefits of compliance-based reviews such as those associated with SOX, HIPAA, HiTECH, PCI-DSS and others. However, it is also imperative to understand that compliance does not equate to security. Many organizations continue to rely on traditional methods of security, accepting regulations and compliance directives as the extent of the protection needed. We encourage businesses to go beyond compliance by implementing a layered approach to security to mitigate risks.
My Employees Do Not Need Security Training
All too often, there is a belief that employees do not need to be trained on information security. Many organizations are under the assumption that employee training surrounding information security would be the same knowledge set as that of an IT security professional. This is a critical mistake. Businesses often spend thousands of dollars on network security only to have the company credentials provided over the phone by an unsuspecting employee to a malicious attacker.
Many employees simply do not understand the dangers of social engineering, spear phishing or the negative impact of malware, for instance. Employees are the first line of defense when it comes to protecting sensitive information and often the first place attackers go to looking for an easy way into an organization. To combat against attacks, employees must be equipped through security awareness training to recognize an attempted attack and help fight back.
I am Not a Target
All too often, companies assume that because of their size or the industry vertical they are in that they simply are not a target. In fact, all companies in all industries are targets. To put simply, it is a numbers game for any attacker: attack as many companies as possible and find those with their guard down. Companies have to succeed every time in protecting themselves, attackers only need to succeed once.
With a proper understanding of one’s security posture, an organization can better understand the strengths and security weaknesses that could open doors for an attack. These weaknesses can be addressed through technology and education. Doing so will help defend and fight back against a security breach.