The security landscape is a complex one, and several layers of defence at multiple points in the organisation are needed to successfully combat today’s sophisticated threats. Unfortunately, for too many businesses, the idea of a ‘quick fix’ is tempting, and they learn the hard way that there is no such thing.
Many businesses are too quick to jump on the band wagon, and rush out to buy a firewall, IDS, application firewall or other hardware and software solutions they’ve heard being described as a silver bullet for security, says Lutz Blaeser, MD of Intact Security.
“Solid security comes with a mind shift, commitment and a good plan,” he says. “Start by understanding exactly where you want the business to end up. Are you looking for the most state-of-the-art security systems out there? Are you hoping to merely do things at least as well as your counterparts and competitors? Or are you looking to implement the least possible security that allows you to avoid falling foul of regulatory bodies in the event of an incident?”
He says that understanding what the aim is will help you understand what you can afford and also what you can’t afford. “Risk assessment is the next step, and is a vital part of security planning. No plan can be put into effect until a thorough assessment of the risks has been undertaken. This assessment will provide a baseline for the development and implementation of any security plan in order to protect the most important business assets from today’s threats.”
To carry out a risk assessment, businesses need to ask themselves several questions, he says. “Firstly, what are the business’ most valuable assets, and sensitive data that need protecting the most? Secondly, what are the risks to these assets and data? Thirdly, what is the cost versus risk balance, and how much is the business prepared to cough up to protect these assets?”
Establishing these facts is vital, Blaeser says, as you cannot protect your most valuable assets and data if you don’t know what they are, or what threatens them.
“The next step is to thoroughly assess your current state security wise. Brining in experts or consultants can be a big help here, as they can help you understand where you are without sugaring the pill.”
Once you have a goal set, and an understanding of where you are, you can start plugging the leakiest holes. “Plan and budget for what is needed over a realistic time frame, and build each step into the company’s main goals, and introduce the necessary key performance indicators into relevant employees’ goals.”
He says getting into security shape is hard work, and takes time and dedication. “There is no quick fix and no silver bullet. It’s not about merely buying a product any longer.”