Snake oil or security solution?
Security initiatives often end up being ineffective because they are not focused on the right issues.
It has become abundantly clear in my conversations with IT managers, CIOs and other executives that there is a huge need to cut out the noise and the fluff, and direct security efforts in the right places.
As the wheel slowly turns and more companies place a higher priority on information security and protection against cyber threats, it is the responsibility of security professionals to manage this ongoing task. If security is to be sustainable and effective, businesses must understand it is an evolving undertaking that requires continuous attention from skilled specialists.
Companies today are definitely putting a spotlight on security – it is now the big buzzword in IT. Due to this, there are a plethora of new companies and solutions making a lot of noise in the marketplace. With all the flash, pomp and ceremony companies are being bombarded with, they need to ensure they are not just being sold a shiny bottle of snake oil.
So, let's use earplugs and cut out the noise in order to unpack the situation and focus. Firstly, threats change regularly, so the need for a modern approach to security is so clear, right?
"The traditional methods of securing enterprises are effective to a point - a very small point."
Well, one would certainly think so, but then why do companies insist on doing things the same way as they always have. Installing anti-virus software and firewalls are not security. They are merely a layer in what should be a much bigger picture. The traditional methods of securing enterprises are effective to a point – a very small point.
Firewall and intrusion detection systems protect the perimeter; they stop the hackers from getting in and stealing data or money, or do they? Perhaps this was true in what my teenage daughter refers to as the "olden days" – the days when everybody came in to the office, logged on to the network and did their work. At the end of the day, they would shut down their machines and switch off their monitors and go home.
Anybody remember those days?
Back in the day
There were no remote connections to enterprise systems from home or a coffee shop. There was no free WiFi in a shopping centre or guest WiFi when visiting customers. In the olden days, servers and other business solutions were located in the server room down the passage; in-house data centres held everything that needed protection; and the IT team ran in and out of there to switch cables or reboot a server when it ran slowly. Visitors were proudly shown the view through the window so one could brag about the symmetrical cabling and new air conditioners above the perfectly white elevated floor.
This is not the case today, where it is more likely some information and business systems are located off-site and not resident in the traditional internal data centre. Consumer and business cloud services are everywhere, whether this is something like Office365, AWS or perhaps a company's own hosted server sitting out in the wild, also referred to as the cloud. It is now clear, with a noise-free focus, to see the olden days are gone. People today have become next-generation without even noticing it.
Users are accessing and working from new places on a daily basis, yet businesses naively persist in relying on old anti-virus software and firewalls to protect their information and data. The simple truth of the matter is if this worked, there would not be the daily reports about the latest cyber breach or the conversations at social gatherings about who was hit by ransomware and how or whether they paid to get their data back or not. Perhaps businesses would also not have the unfortunate case where a former sales director allegedly stole the entire customer list and pricing structure before moving to a competitor.
Why is it that business is focusing on the wrong things? It is because of relying on the wrong people.
Modern day IT managers are already under immense pressure – they are expected to be magicians. The unfortunate diligent IT wizards are usually tasked with ensuring the IT environment runs optimally to service the needs of the business. They are then also suddenly responsible for the security of all systems and making sure the users comply with acceptable usage policies and information security guidelines. They are also told to ensure there is business continuity and a working disaster recovery plan in place, as well as ensuring the correct backup and restoration procedures are there – checked and managed every day.
The hapless IT magicians are also in charge of managing the IT support staff – or outsourced teams – to ensure server uptime is not interrupted and firewalls are working. Today's IT guru must also check logs, survey events and answer the questions on compliance from management and the auditors. And, of course, somebody needs to make sure security is not forgotten about.
It is also necessary to conjure up an unbreakable force field to keep the pesky hackers at bay. All too often in South African mid-size businesses, this ‘team' of magicians is made up of one person.
The business is happy to spend money to have a specialist company come in to water the office plants or perform cleaning services. Many will have highly specialised companies being paid to do their social media, SEO, marketing and PR. But, amazingly, they don't look at a specialist cyber security organisation to secure their entire business, promote visibility and protect against cyber threats to reduce risk.
Why would that be the case in a focused, noise-abated environment? The answer is because companies think they have the magic bullet – the IT magician.
Research has proven IT is ill-equipped to perform this task alone, not because it doesn't want to, but because there are so many other things to keep running on a daily basis. The time has arrived for companies to get help and get real about what they are actually doing to secure their businesses. IT professionals are amazing, but they need support from the business to do their jobs. My advice is to let the security specialist organisations do the security work and let IT keep the information technology running.
Companies failing to do this either due to naiveté or budgetary concerns may not even be aware they have already been breached – and the losses can far outweigh assessing a suitable budget for the right advice. The worst nightmare for business owners is not knowing about a breach until they cannot access any of their servers, and have to go to customers to say "sorry, we'll be right back", with the real question being: "When will we be right back?"
This article appeared in ITWeb - Click here to view
- Hits: 1056