Enterprises should invest in strengthening security programs
Enterprises need to relook at their people, processes, and technology strategies around information security.
Enterprises today are losing sleep over information security concerns, despite investing heavily on technology to ensure better business performance. However, these technology investments are being made in the interest of innovating and accelerating the impact of technology for their customers rather than to protect the data itself.
Rajat Mohanty, Co-founder, Chairman and CEO at Paladion explained:
“The compliance and security teams often approach their CFOs to set aside budgets required to strengthen the companies’ security and compliance programs. However, owing to the CFO’s risk-averse nature, they mostly focus on the business and the bottom line. In view of this, the next step towards information risk management would be for the CFOs to bring innovative ideas to the table to help their companies remain competitive.”
According to market research firm Gartner, Middle East and North Africa (MENA) spending on information security technology and services reached $1.1 billion in 2015, an increase of 3.3% over 2014. The overall security spending is also on the rise in the region – it grew by 15% in 2015. Analysts at Gartner said that enterprises in MENA are now realising that merely adopting preventive strategies is not enough, and they are beginning to focus on detection and response approaches to improve the security posture of their organization.
Indeed, large organisations in MENA are investing in building out security operations capabilities either in house or by leveraging external services offered by managed security services providers (MSSPs). Organisations surely need to spend more on detection, but not at the expense of blocking known threats. This requires enterprises to relook at their people, process and technology strategies around information security.
According to Gartner, in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5% today. In addition, through 2018, more than 40% of state-sponsored attacks will have the source nation misidentified by the target. Also, 99.9% of attacks will be based on product vulnerabilities that were known of for at least a year.
“CFOs and CEOs in such enterprises need to identify all the assets that contain or transmit the information they are trying to protect. It could be anything from a Personal Identification Information (PII), Protected Health Information (PHI), Payment Card Information (PCI), or any other proprietary or sensitive information important to the business. These information assets not only include application but also the media that contains those applications, such as servers, back-up tapes, desk tops, laptops, and thumb drives.”
Thus, identification of vulnerabilities of those assets is the next significant step. Taking informed decisions on risk treatment involves isolating all combinations of assets, threats to those assets and the vulnerabilities that might be exploited. Absence of these three aspects indicates that there is no risk to the information of the company.
Apart from determining the likelihood of the threats exploiting the vulnerabilities, enterprises also need to generate a risk-list, with high impact risk at the top and low impact risk at the bottom and everything else in between. Once the list is in place, the CISOs, CFOs, CEOs and all other C-suites need to congregate and belt out solutions and determine the cost of all risks.
“Continuous evaluations and re-evaluations of risks that a company faces, is a good practice. Although time, energy and commitment are some of the most important pre-requisites for such practices, one has to agree that ongoing vigilance has its own rewards. Apart from mitigating huge business costs, it also saves the companies immense reputational damage that could stem out of data breach.”