When addressing the issue of data security and compliance, one of the strategic challenges facing businesses today is an over reliance on a wide variety of IT and security technologies, spread across the organization, and supported by a plethora of different vendors.
Not only is this an IT management nightmare, but the very nature of this type of distributed and disparate environment actually increases the attraction for individuals and groups seeking to undertake malicious activity. These actors range from inquisitive amateurs to highly professional, organised criminal gangs and even nation states (Who are the ‘Bad Guys).
How difficult is it to become a Cyber Criminal?
With cyber-crime technologies such as exploit kits, which discover and exploit network vulnerabilities to then upload and execute malicious code, becoming much more readily available (How Dark is the Dark Web?), attackers need little start-up investment or even knowledge. They can easily begin testing the fences across the Internet to see what vulnerabilities exist in any business network and that includes yours!
Governments around the world are recognizing the damaging impact the resultant growth in cyber crime is having on their economies and are subsequently focusing more and more resources on introducing new and ever more extensive cyber legislation to combat this issue.
What does this mean for your security strategy?
One outcome of this for enterprises everywhere is that the resources required to comply with new cyber legislation are becoming much more significant. It is extremely challenging for businesses to align existing, successful operations with the industry best practices required by new regulations. An example of this is the soon to be introduced General Data Protection Regulation (GDPR) which is a new European legislation aimed at protecting the rights of all EU citizens when it comes to Personally Identifiable Information (PII), a vast amount of which is held by US corporations.
Unfortunately, the early attempts at achieving compliance, for example in the areas of Payment Card Industry (PCI) and Health Information Portability and Accountability Act (HIPAA) compliance, often led to costly failures. Frequently, when businesses invested significant resources in implementing systems and protocols to increase security and achieve compliance with one standard or another, they ended up no more secure than before they started. Many others achieved compliance in the first instance, only to see changes in regulations, and across the threat landscape, negate their compliant status.
This can be likened to trying to catch water leaking through a roof in a bucket, only to see new leaks appear, meaning more and more buckets or a wet floor! The answer, of course, is to implement a well planned, long term strategy that maintains the integrity of the roof, regardless of the weather conditions.
Improving your cyber security profile
Within your overall security strategy, any specific improvement in the cyber security profile needs to take into account exactly what you are trying to achieve and over what time period, the operating environment of your business, the potential range of threats to your organization or industry and your ability to analyse, and quickly react to, security threats and other damaging events.
In essence, a successful cyber security implementation project relies on the following 5 key elements:
DISCO for Data Security projects
- Design. Establish a project plan and team to develop a strategic timeline, based upon SMART (Specific, Measurable, Achievable, Realistic & Time-bound) objectives.
- Identify & Isolate. Determine the in-scope assets (data, systems, people, documents, etc.) and isolate these from any connected assets that could have an adverse impact. Isolating the systems helps to ensure that defensive measures are concentrated on the higher priority elements of the business.
- Standardize. Align existing business processes with appropriate industry best practices, ensuring that these are well documented, applied and followed.
- Check. Ensure that periodic checks are carried out to help to ensure ongoing alignment with the chosen standards.
- Offset. Timely identification and response to new vulnerabilities, helping to offset the potential for exploitation.
Let’s face it, the ever increasing reliance on high volumes of data and the technologies needed to process it, along with the growth in breadth and frequency of cyber threats, are challenges that are here to stay. So if you want to reduce the likelihood of your company being the next Target or Home Depot, you should seriously consider building a sustainable security strategy that not only keeps the Bad Guys out now, but also in the future. In other words get your DISCO gear on!
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.