Recent headlines confirm that cyber attacks are growing in scale and incidents are on the rise.
Organizations are increasingly vulnerable as a result of technological advances and a changing workplace, including remote access, big data, cloud computing, social media and mobile technology.
The amount and importance of data continues to grow, as does the sharing of information via online networks. Organizations increasingly open their IT systems and lose direct control of data security.
Today, cyber security is no longer just an IT issue — it is a challenge for the leadership of any organization.
Rather than focusing on technology alone to address these issues, it’s critical that management, boards and shareholders understand the most common cyber security mistakes so they can adopt a flexible, proactive and strategic approach to building an informed organization.
KPMG LLP recently surveyed 100 primarily C-level and senior executives in the technology industry for our 2014 Technology Business Outlook. Technology executives continue to believe that security is the biggest challenge to businesses adopting Cloud, mobile or social media technologies and almost two-thirds expect their company to spend 1 percent to 5 percent of their revenue on information security over the next 12 months.
In light of the recent data breach at Minneapolis-based Target Corp. and the fact that data security is one of the top concerns of many of our clients in the Minneapolis market, we’ve compiled five common cyber security mistakes that company leaders should work to avoid.
Mistake No. 1: “We must achieve 100 percent security.”
Reality: 100 percent security is neither feasible nor the appropriate goal.
Whether it remains private or is made public, almost every large, well-known organization will experience information theft. Once you understand that perfect security is an illusion and that cyber security is “business as usual,” you also understand that more emphasis must be placed on protecting your most important information assets, in addition to improving detection and response capabilities to identify and address issues as they arise.
Mistake No. 2: “When we invest in best-of-class technical tools, we are safe.”
Reality: Effective cyber security is less dependent on technology than you think.
The world of cyber security is dominated by specialist suppliers, such as those that sell products enabling the rapid detection of intruders. These tools are essential for basic security, and must be integrated into the technology architecture, but they are not the basis of a holistic and robust cyber security policy and strategy. The investment in technical tools should be the output, not the driver, of cyber security strategy.
Mistake No. 3: “Our weapons have to be better than those of the hackers.”
Reality: Security policies should primarily be determined by your goals, not those of your attackers.
The fight against cyber crime is an unwinnable race if it’s defined solely as an arms race with attackers, who are constantly developing new methods and technology, forcing companies to keep investing in increasingly sophisticated tools to prevent attacks.
Managers need to understand what types of attackers their business attracts and why and assess their own risk profile and prioritize policies, procedures and controls based on that risk profile.
Mistake No. 4: “Cyber security compliance is all about effective monitoring.”
Reality: The ability to learn is just as important as the ability to monitor.
Cyber security is very much driven by compliance with certain laws and policies. Even so, only an organization that is capable of understanding external developments and incident trends, and uses these insights to inform policy and strategy, will succeed in combating cyber crime in the long term.
Effective cyber security policy and strategy should be based on continuous learning and improvement to beef up the company’s program and protect their highest value assets, not simply reacting to a regulatory compliance issues that may address only part of their environment.
Mistake No.5: “We need to recruit the best professionals to defend ourselves from cyber crime.”
Reality: Cyber security is not a department, but an attitude.
Cyber security is often seen as the responsibility of a department of specialist professionals, which may result in a false sense of security and may give the broader organization the mistaken idea that it’s not their problem.
The real challenge is to make cyber security a concern of the entire organization. For example, this means that cyber security should become part of HR policy. It also means that cyber security should be built into the requirements for key business and information technology initiatives vs. retrofitting security into business processes, IT systems or third-party controls only at the end of such projects.
Developing a strategic, customized and comprehensive cyber security program — driven from the top — will help companies avoid these common security mistakes and build an informed and knowledgeable organizational culture.
Author - Peter Bassill
No comments:
Post a Comment