Story image

Why security tools are useless if they don't relate to business objectives

13 Nov 2017

No matter how many cybersecurity tools or products a business owns, they may not provide enough protection if businesses can’t say how those tools are part of their business objectives.

That’s according to Aleron, which says that organisations can only say they are protected when they know what they are protecting, and if what they’re implementing is able to protect it.

“A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees,” explains Aleron’s director Alex Morkos.

“They need to understand all the potential entry points for cyberattacks and create a holistic strategy that leaves no door open. However, there are many areas to consider, which makes it easy to overlook some. A risk assessment can help organisations find the correct balance between security and usability, linked back to the business need.” 

The company says there are five key questions organisations should ask to determine their security strategy:

1. What does the organisation need to protect? Any business with an online presence will have some assets that are critical and material to its operations and can be affected by cyberthreats. For example, if the business runs an online store, or sells financial products online, it will need to protect customer data as well as any IP in the online application that gives the company a competitive advantage. Understanding what data and assets the organisation has and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect.  2. What is the organisation’s risk appetite? Organisations need to understand what outages the business is prepared to accept, what level of negative media attention it can withstand before it affects the business, whether there is confidential or private data on the network, and, if so, how valuable it is to the business.  3. What are the real threats this attack surface presents? Understanding the reality of the threats organisations can face can help businesses determine a risk profile. For example, given the right opportunity, hackers can control and monitor the corporate network and create an internal denial of service attack that’s difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. It’s important to know the real threats to protect against them effectively.  4. What are the potential consequences of an attack via this entry point?  The consequences of an attack vary depending on the business but can include disruption to normal operations, including confidential data leakage and privacy infringements. In turn, this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses the company’s network to attack others. Often, organisations may decide that a vulnerability isn’t worth strengthening because an attack is unlikely to cause much damage.  5. How likely is an attack? The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with. 

Morkos says that organisations should conduct security risk assessments in partnership with security experts.

“Business leaders need to consider what controls should be implemented to protect the organisation and maintain variety in the right combinations. Businesses should use preventative and detective controls together and make sure they have a response plan that is approved, understood, and tested,” he continues.

“Without conducting a security risk assessment, businesses may invest too much in security, wasting budget that could be better spent elsewhere. They may also under-invest in security measures, which could leave the organisation vulnerable to attack. The key is to get the right balance and place resources where they’ll deliver the best value.” 

Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.