Story image

Why security tools are useless if they don't relate to business objectives

13 Nov 2017

No matter how many cybersecurity tools or products a business owns, they may not provide enough protection if businesses can’t say how those tools are part of their business objectives.

That’s according to Aleron, which says that organisations can only say they are protected when they know what they are protecting, and if what they’re implementing is able to protect it.

“A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees,” explains Aleron’s director Alex Morkos.

“They need to understand all the potential entry points for cyberattacks and create a holistic strategy that leaves no door open. However, there are many areas to consider, which makes it easy to overlook some. A risk assessment can help organisations find the correct balance between security and usability, linked back to the business need.” 

The company says there are five key questions organisations should ask to determine their security strategy:

1. What does the organisation need to protect? Any business with an online presence will have some assets that are critical and material to its operations and can be affected by cyberthreats. For example, if the business runs an online store, or sells financial products online, it will need to protect customer data as well as any IP in the online application that gives the company a competitive advantage. Understanding what data and assets the organisation has and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect.  2. What is the organisation’s risk appetite? Organisations need to understand what outages the business is prepared to accept, what level of negative media attention it can withstand before it affects the business, whether there is confidential or private data on the network, and, if so, how valuable it is to the business.  3. What are the real threats this attack surface presents? Understanding the reality of the threats organisations can face can help businesses determine a risk profile. For example, given the right opportunity, hackers can control and monitor the corporate network and create an internal denial of service attack that’s difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. It’s important to know the real threats to protect against them effectively.  4. What are the potential consequences of an attack via this entry point?  The consequences of an attack vary depending on the business but can include disruption to normal operations, including confidential data leakage and privacy infringements. In turn, this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses the company’s network to attack others. Often, organisations may decide that a vulnerability isn’t worth strengthening because an attack is unlikely to cause much damage.  5. How likely is an attack? The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with. 

Morkos says that organisations should conduct security risk assessments in partnership with security experts.

“Business leaders need to consider what controls should be implemented to protect the organisation and maintain variety in the right combinations. Businesses should use preventative and detective controls together and make sure they have a response plan that is approved, understood, and tested,” he continues.

“Without conducting a security risk assessment, businesses may invest too much in security, wasting budget that could be better spent elsewhere. They may also under-invest in security measures, which could leave the organisation vulnerable to attack. The key is to get the right balance and place resources where they’ll deliver the best value.” 

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Gartner: Good talent put off by old tech
Technology now ranks in the top ten reasons Australian employees will leave their current role, according to Gartner’s 4Q18 Global Talent Monitor.
App downtime costs businesses over $700k per event
One hour of business-critical application downtime can cost larger companies $144,062.52 per hour, with an average repair time of over five hours.
Why application downtime costs Aussie businesses more than $762,000 on average
“These findings highlight the critical need for all Australian businesses to ensure ongoing monitoring of applications."
How AI is changing the medical industry
With NVIDIA Clara, developers can speed up their medical imaging applications and implement AI.
The Data Literacy Project expands its library of free courses
Upskilling the workforce in data literacy is fundamental to unlocking business growth.
Digital experience managers, get excited for Adobe Summit 2019
“Digital transformation may be a buzzword, but companies are trying to adapt and compete in this changing environment.”