Every company has limited resources, but security improvements don’t have to be costly or painful. They just need a few tweaks.
“The biggest challenge is resources, and split that down into time, budget and the people in both the headcount and the expertise,” said Richard Ford, the UK technical manager for Integrity360.
It’s a difficult balance to achieve. On one hand, you have the protection of your business to worry about, while on the other, you have a business to run. The smaller you are, the fewer resources you can allocate to security as a whole. That doesn’t mean you should put it to the side, only that you need to be smarter about it.
“There’s a big drive for business agility, cloud is not a new term or idea, but it paints a picture that you can put everything from a board level view – we should be implementing these yesterday and get the business to grow and increase its productivity,” said Ford.
“There needs to be a little bit of forethought about what that means for the business, how that’s being secured because you’re opening up your business to enable your employees to have this always on, open access to all their data.”
Of the many services Integrity360 offers, one of the major things it offers is managed security services. As Ford put it, “nobody has infinite resources of cash, people or time” within a business so the focus should be on what its real strategy should be. Once you have that, you can put together a security road map which will allow them to put a control policy in place.
It’s not giving a strategy an overhaul, it’s adjusting it so it stops being a box ticking exercise.
Our customers have been focusing on detection of attacks and have been able to react to them in a timely manner
“In many cases, it’s just tweaking their models,” said Ford. “There are tools and processes you can put in place . . . you either got them already or you just need to change how your process works, put a few controls in or monitor a few controls, they’re going to make a world of difference to your security posture and reduce your security risk.”
In that race to meet regulations, it’s very easy for such changes to be made for the sake of it. Doing that will only hurt the business in the long run as it scrambles to meet any new threat that arises over the next few years.
The key is to put together a framework that gives you a foundation to work with. Once you have that, it’s easier to make adjustments when necessary.
“In many organisations, they get bogged down trying to meet the security compliance and lose sight of why the compliances are there because it’s usually from a security point of view,” said Ford. “It becomes a box-ticking exercise, but working with a security framework, you can measure yourself against it, and you’re guided by something that’s constantly updated”.
To add to that, education is a major key to improving your security. Employees can fall into the box ticking exercise as much as businesses themselves, adapting processes, but not really understanding why they’re there in the first place.
Education doesn’t end with good practices, it also includes what you should do when you’re hit by an attack since good security treats successful attacks as a ‘when’ instead of an ‘if’.
“Within the security industry, there has been a big push to try and change people’s approach,” said Ford. “We’ve been moving towards advocating ‘you can’t prevent everything’, because prevention relies on knowing what you’re going to prevent”.
“We’ve moved into a world where hacker tools and malware are constantly changing and being developed at a high rate, sold and recompiled so it becomes difficult to spot . . . what we’re seeing from our customers is they’ve come round to the idea that they’re not going to prevent everything. You need to have strong prevention capabilities as much as possible, but you have to accept that you can’t stop everything”.
“Once you’ve accepted that, the mindset changes and so does your strategy around security . . . that’s where a big change and requirement among our customers has been largely focusing on detection of successful attacks or malicious behaviour and be able to react to it in a timely manner”.
With the GDPR regulations being a major focus for Integrity360 and its clients, much of its time has been spent on helping customers assess what it means for them. The other side of it is its managed security service where it plans to increases its capabilities and coverage over the next 12 to 18 months.
The security landscape has changed for businesses, but on the bright side, the number of services they can rely on, from a technology or consultancy perspective, has risen.
“[With businesses working] on budget, it’s getting to the point where it’s very, very difficult for organisations to go completely alone, hence us moving into management services a couple of years ago,” he said.