The 5 most common cyber security mistakes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://idahobusinessreview.com/2014/07/31/the-5-most-common-cyber-security-mistakes/

Recent headlines confirm that cyber attacks are growing in scale and
incidents are on the rise.

Organizations are increasingly vulnerable as a result of technological
advances and a changing workplace, including remote access, big data, cloud
computing, social media and mobile technology.

The amount and importance of data continues to grow, as does the sharing of
information via online networks. Organizations increasingly open their IT
systems and lose direct control of data security.

Today, cyber security is no longer just an IT issue — it is a challenge for
the leadership of any organization.

Rather than focusing on technology alone to address these issues, it’s
critical that management, boards and shareholders understand the most
common cyber security mistakes so they can adopt a flexible, proactive and
strategic approach to building an informed organization.

KPMG LLP recently surveyed 100 primarily C-level and senior executives in
the technology industry for our 2014 Technology Business Outlook.
Technology executives continue to believe that security is the biggest
challenge to businesses adopting Cloud, mobile or social media technologies
and almost two-thirds expect their company to spend 1 percent to 5 percent
of their revenue on information security over the next 12 months.

In light of the recent data breach at Minneapolis-based Target Corp. and
the fact that data security is one of the top concerns of many of our
clients in the Minneapolis market, we’ve compiled five common cyber
security mistakes that company leaders should work to avoid.

Mistake: “We must achieve 100 percent security.”

Reality: 100 percent security is neither feasible nor the appropriate goal.

Whether it remains private or is made public, almost every large,
well-known organization will experience information theft. Once you
understand that perfect security is an illusion and that cyber security is
“business as usual,” you also understand that more emphasis must be placed
on protecting your most important information assets, in addition to
improving detection and response capabilities to identify and address
issues as they arise.

Mistake: “When we invest in best-of-class technical tools, we are safe.”

Reality: Effective cyber security is less dependent on technology than you
think.

The world of cyber security is dominated by specialist suppliers, such as
those that sell products enabling the rapid detection of intruders. These
tools are essential for basic security, and must be integrated into the
technology architecture, but they are not the basis of a holistic and
robust cyber security policy and strategy. The investment in technical
tools should be the output, not the driver, of cyber security strategy.

Mistake: “Our weapons have to be better than those of the hackers.”

Reality: Security policies should primarily be determined by your goals,
not those of your attackers.

The fight against cyber crime is an unwinnable race if it’s defined solely
as an arms race with attackers, who are constantly developing new methods
and technology, forcing companies to keep investing in increasingly
sophisticated tools to prevent attacks.

Managers need to understand what types of attackers their business attracts
and why and assess their own risk profile and prioritize policies,
procedures and controls based on that risk profile.

Mistake: “Cyber security compliance is all about effective monitoring.”

Reality: The ability to learn is just as important as the ability to
monitor.

Cyber security is very much driven by compliance with certain laws and
policies. Even so, only an organization that is capable of understanding
external developments and incident trends, and uses these insights to
inform policy and strategy, will succeed in combating cyber crime in the
long term.

Effective cyber security policy and strategy should be based on continuous
learning and improvement to beef up the company’s program and protect their
highest value assets, not simply reacting to a regulatory compliance issues
that may address only part of their environment.

Mistake: “We need to recruit the best professionals to defend ourselves
from cyber crime.”

Reality: Cyber security is not a department, but an attitude.

Cyber security is often seen as the responsibility of a department of
specialist professionals, which may result in a false sense of security and
may give the broader organization the mistaken idea that it’s not their
problem.

The real challenge is to make cyber security a concern of the entire
organization. For example, this means that cyber security should become
part of HR policy. It also means that cyber security should be built into
the requirements for key business and information technology initiatives
vs. retrofitting security into business processes, IT systems or
third-party controls only at the end of such projects.

Developing a strategic, customized and comprehensive cyber security program
— driven from the top — will help companies avoid these common security
mistakes and build an informed and knowledgeable organizational culture.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!