Story image

Why security tools are useless if they don't relate to business objectives

13 Nov 2017

No matter how many cybersecurity tools or products a business owns, they may not provide enough protection if businesses can’t say how those tools are part of their business objectives.

That’s according to Aleron, which says that organisations can only say they are protected when they know what they are protecting, and if what they’re implementing is able to protect it.

“A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees,” explains Aleron’s director Alex Morkos.

“They need to understand all the potential entry points for cyberattacks and create a holistic strategy that leaves no door open. However, there are many areas to consider, which makes it easy to overlook some. A risk assessment can help organisations find the correct balance between security and usability, linked back to the business need.” 

The company says there are five key questions organisations should ask to determine their security strategy:

1. What does the organisation need to protect? Any business with an online presence will have some assets that are critical and material to its operations and can be affected by cyberthreats. For example, if the business runs an online store, or sells financial products online, it will need to protect customer data as well as any IP in the online application that gives the company a competitive advantage. Understanding what data and assets the organisation has and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect.  2. What is the organisation’s risk appetite? Organisations need to understand what outages the business is prepared to accept, what level of negative media attention it can withstand before it affects the business, whether there is confidential or private data on the network, and, if so, how valuable it is to the business.  3. What are the real threats this attack surface presents? Understanding the reality of the threats organisations can face can help businesses determine a risk profile. For example, given the right opportunity, hackers can control and monitor the corporate network and create an internal denial of service attack that’s difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. It’s important to know the real threats to protect against them effectively.  4. What are the potential consequences of an attack via this entry point?  The consequences of an attack vary depending on the business but can include disruption to normal operations, including confidential data leakage and privacy infringements. In turn, this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses the company’s network to attack others. Often, organisations may decide that a vulnerability isn’t worth strengthening because an attack is unlikely to cause much damage.  5. How likely is an attack? The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with. 

Morkos says that organisations should conduct security risk assessments in partnership with security experts.

“Business leaders need to consider what controls should be implemented to protect the organisation and maintain variety in the right combinations. Businesses should use preventative and detective controls together and make sure they have a response plan that is approved, understood, and tested,” he continues.

“Without conducting a security risk assessment, businesses may invest too much in security, wasting budget that could be better spent elsewhere. They may also under-invest in security measures, which could leave the organisation vulnerable to attack. The key is to get the right balance and place resources where they’ll deliver the best value.” 

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."