Improvements in security technology have made security environments easier to manage, but this convenience is taking a toll as too many organisations neglect to implement incident response plans and other complementary procedures, the head of NTT Com Security has warned.
Gary Sidaway, global director of security strategy, told CSO Australia that the accretive approach to security pursued by many organisations had left patches of unidentified risk throughout the structure of the average company.
“From a client perspective the way they work together will be different tomorrow and the threats they face different tomorrow,” he said. “Bolting on technologies and point solutions clearly hasn't worked in mitigating that threat, and you've got to take a different approach to security and risk management.”
The company's recent NTT Group 2014 Global Threat Intelligence Report evaluated, among other things, the extent of this complacency and found that the predominance of 'good enough' security investments had left organisations vulnerable to constant pressure from determined hackers who “maintain constant pressure on the perimeter of the organisation until it is compromised”.
In many cases, that pressure is focused on one particular endpoint: NTT Group's analysis of more than 3 billion attacks found that 43 per cent of incident response engagements were the result of malware attacks against a specific end point. Open environments such as schools, where endpoint devices vary and controls are harder to enforce, were penetration hotspots with 42 per cent of all malware events.
“While businesses drag legacy security along, cyber-terrorism and criminal enrichment are carrying the attacks forward at a furious rate,” the report's authors warn. “Fighting back with traditional solutions is a failing strategy as attackers pour resources into circumvention, and skip over the defences to exploit the more lightly defended interior.”
The results can be devastating – a single unsanitised field on a Web form paved the way for an automated SQL injection attack and cost one organisation mentioned in the report over US$196,000 – yet the institutional complacency around security technology means that 77 percent of the organisations studied had no incident response plan.
Many organisations still don't even know what their legacy applications are doing, Sidaway pointed out: “someone wrote them 10 or 15 years ago, and people don't want to touch them and they're not quite sure what their users are doing,” he said.
“We start by taking that complexity out and simplifying it; that has been successful for us in helping them simplify those security architectures. It's about identifying the projects that make sense to an organisation, and aligning them from top to bottom.”
Tightening up the security controls for this interior should be a key priority for any company, the report warns, with employee engagement “vital” and application development strategies needing to build security into applications from the beginning.
“Security organisations have vast challenges under the existing security operational model to maintain wrappers around data objects especially when external and internal environments are addressed differently,” the report's authors warn.
“Security's responsibility is to ensure continuous business operation in vastly different environments than legacy capabilities are designed to manage. Security done right needs to move to the next level of investment so the basic embedded security fabric is the corporate way of doing things, rather than the ugly stepchild to business as usual.”
Companies where security policies have been tightened and are updated on a continual basis – for example, in companies adhering to Payment Card Industry (PCI) standards for protection of credit-card details – were able to remediate security issues 35 per cent faster than those without such regulatory requirements. Those with Vulnerability Lifecycle Management (VLM) processes had a 20 per cent faster remediation time.
While the benefits of better policy are hardly new, Sidaway said many organisations still struggle to deliver it in practice – particularly where the business is involved.
“Actually presenting information security as that business enabler is the challenge for a lot of organisations,” he said. “It has traditionally been seen as a cost that you can't justify.”
“Where we've had a lot of success is being able to turn it into something in terms of that business advantage,” he continued. “It enables your workforce to be mobile, to position that cost for the business, and to know that information security is already embedded in the business so the board can see that advantage.”
“Taking out complexity is hugely important; just doing the basics, and doing the basics well, significantly reduces your risk – and that is a message that's resonating with the board.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.