Story image

Why security tools are useless if they don't relate to business objectives

13 Nov 17

No matter how many cybersecurity tools or products a business owns, they may not provide enough protection if businesses can’t say how those tools are part of their business objectives.

That’s according to Aleron, which says that organisations can only say they are protected when they know what they are protecting, and if what they’re implementing is able to protect it.

“A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees,” explains Aleron’s director Alex Morkos.

“They need to understand all the potential entry points for cyberattacks and create a holistic strategy that leaves no door open. However, there are many areas to consider, which makes it easy to overlook some. A risk assessment can help organisations find the correct balance between security and usability, linked back to the business need.” 

The company says there are five key questions organisations should ask to determine their security strategy:

1. What does the organisation need to protect? Any business with an online presence will have some assets that are critical and material to its operations and can be affected by cyberthreats. For example, if the business runs an online store, or sells financial products online, it will need to protect customer data as well as any IP in the online application that gives the company a competitive advantage. Understanding what data and assets the organisation has and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect. 

2. What is the organisation’s risk appetite? Organisations need to understand what outages the business is prepared to accept, what level of negative media attention it can withstand before it affects the business, whether there is confidential or private data on the network, and, if so, how valuable it is to the business. 

3. What are the real threats this attack surface presents? Understanding the reality of the threats organisations can face can help businesses determine a risk profile. For example, given the right opportunity, hackers can control and monitor the corporate network and create an internal denial of service attack that’s difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. It’s important to know the real threats to protect against them effectively. 

4. What are the potential consequences of an attack via this entry point?  The consequences of an attack vary depending on the business but can include disruption to normal operations, including confidential data leakage and privacy infringements. In turn, this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses the company’s network to attack others. Often, organisations may decide that a vulnerability isn’t worth strengthening because an attack is unlikely to cause much damage. 

5. How likely is an attack? The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with. 

Morkos says that organisations should conduct security risk assessments in partnership with security experts.

“Business leaders need to consider what controls should be implemented to protect the organisation and maintain variety in the right combinations. Businesses should use preventative and detective controls together and make sure they have a response plan that is approved, understood, and tested,” he continues.

“Without conducting a security risk assessment, businesses may invest too much in security, wasting budget that could be better spent elsewhere. They may also under-invest in security measures, which could leave the organisation vulnerable to attack. The key is to get the right balance and place resources where they’ll deliver the best value.” 

Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.
Report on SingHealth breach condemns poor security practices
The 2018 Singapore SingHealth data breach was poorly managed and riddled with vulnerabilities from the start.
Tesla wants people to hack its Model 3
Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.