|
Recent media reports tell the story: the number of computer viruses is expected to double by the year 2008. Even more alarming is the fact that viruses are no longer the product of hackers seeking temporary fame and glory. Hacking has become a sophisticated, organized business that has traded in the previous objective of recognition for that of money. This new breed of assault is impacting enterprise security in broader—and more costly—ways than ever before. And in many organizations, what used to be the occasional need to respond has now become a daily battle.
In fact, when Courian and the Executive Alliance consultancy conducted a study1 to determine the security concerns of companies, they found that there are many.
Topping the list are:
1. Unauthorized systems access
2. Auditability/compliance
3. Customer data breaches
4. Sabotage
5. Theft of intellectual property
6. Cost of administration
So, with the threat of up to a half a million viruses in the near future, and more areas of opportunity for security breaches, how do you mitigate risk without being consumed by the process?
1 Online Security Today, June 15, 2006.
When Too Much Isn’t Enough
In order to see how an organization’s security can become more balanced in the future, it’s helpful to look at where it’s been. For years, companies have responded to attacks with a “one-threat-one-cure” approach, buying individual products along the way. Over time, this approach has lead to multiple layers of security, ranging from anti-virus to anti-spyware to intrusion prevention systems.
Unfortunately, layer upon layer of products hasn’t improved the overall security of organizations. Instead, it’s created a patchwork of disparate systems—both localized and geographically spread out. Companies that have invested heavily in a series of one-off solutions are now contending with security gaps that attackers can exploit. And equally as threatening to organizations is what this patchwork approach can do to the bottom line. Increasing the complexity of the security system requires more complex and expensive management processes—escalating the overall cost of security operations.
Reducing Complexity: An Idea Whose Time Has Come
In the past, the concept of reducing complexity in order to improve security sounded contradictory. Today, it’s simply a reflection of the times—and new integration capabilities. Instead of buying expensive individual products that add complexity to an organization’s security architecture, companies are now able to take a holistic approach to their needs. This elevated point of view allows companies to implement a comprehensive risk management process that weighs security threats and the realities of business in order to find a practical balance.
Strategies for Simplifying Security
Implementing a risk management process that simplifies, streamlines, and integrates security shouldn’t be viewed as a daunting task. Instead, it should become a way of doing business—a philosophy in which organizations take a proactive approach to identifying and eliminating security exposures. Organizations can then put in place a system that comprehensively blocks attacks while planning and implementing remediation strategies on an ongoing basis.
Top-Line Ways for Companies to Get Started
Step 1:
Look at your assets
Assets refer to existing computers, servers, network, and data infrastructure and gear. It’s critical to identify what you have in place in order to assess levels of risk. Where do these assets reside? How important are they? If you are unable to identify or track assets, it’s nearly impossible to protect them.
Step 2:
Identify your risk
At this point, two important questions arise: What risk do you face given the vulnerabilities of the assets? What’s the risk you’re willing to accept? Some assets are worth more and therefore have more risk associated to them. For example, a database server that contains customer information is more at risk than a demo server that you might use to demo a product. Or the CEO’s laptop might be more at risk due to the fact that it is mobile and contains company confidential information, compared to an administrative desktop system that sits in a locked office. The laptop is more at risk of being stolen and the data within it is more at risk.
|
