Cyber crime is one of the biggest issues facing organisations today. While we shouldn’t be distracted by the breach or exploit of the week, it’s evident attacks can affect any business. The increased media attention around data security has meant that IT decision makers are prioritising security in 2016.
This post is one of a two-part series, which looks at some of the specific areas we have found companies are looking to prioritise this year.
Basic security controls
Sadly, far too many breaches have occurred this year that could have been prevented with clearer implementation of best practice. As a minimum, organisations should put in place the basic security controls in order to mitigate the risk of a successful breach. Too many organisations are still ignoring these fundamentals. In fact, our Global Threat Intelligence Report found that more than three-quarters of the identified vulnerabilities were known for more than two years and almost 10% were 10 years old.
Ongoing patching and maintenance of systems is therefore an absolute must. Additionally, a robust incident response plan is essential. Should a breach occur, the organisation must respond quickly to both mitigate the issue and confidently communicate with its customers. In essence, businesses require a blended and well defined approach to people, process and technology for overall security and ongoing risk management.
There is still a huge skills shortage within the security industry, which means every business decision marker should be pro-actively working with their industry peers to develop the necessary skills and awareness partnerships to bridge the gap.
Training programs can help although this needs to be action-oriented education. In other words, as a result of training, the behaviours within the organisation change. Our first Risk:Value report, which we conducted at the end of 2014, showed that while senior managers saw a data breach as bad for business, many of them regarded it as someone else’s responsibility to secure. It is therefore important to recognise that everyone in an organisation has a role to play in keeping data secure from an attack. The finding suggests that training and education can help “shift the dial” in generating awareness and creating a sense of collective responsibility. Again, this is akin to getting the basics right – defining processes and best practice along with regular system updates to make a significant difference to the security of data.