Business Continuity, the Security Objective
Security is much more than protecting network assets. Prevention and attacks management, as well as the basis of a resilient corporation are fundamental objectives of today’s Security. Are we taking the right decisions towards these objectives?
Nowadays the consequences of a cyber attack or a data breach are so much visible! So visible that we often listen to people saying that there are two types of companies: the ones that were hacked and the ones that don’t know they were hacked.
Attacks are real across all markets. Large, medium, small and even micro companies. Every single business or person can be victim of an attack. Not necessarily very sophisticated, but an attack that will look for profit, hurting many times the present and future assets of the victim as well as affecting the business continuity.
There is a tendency for the attacks to be vertical per activity sectors. Not all industries suffer the same type of attacks. Basically because the way to hurt and to profit from the assets may vary from industry to industry.
We can extract two conclusions from the above that makes us rethink the actual protection concepts and the fundamentals of our protection strategy:
1. Security is more about a risk management concept and impact mitigation. If we look into our environment, over 80% of the investment we make in security is aimed to prevent an attack. And only a small part of the investment is dedicated to the event that the attack may succeed. But… the attacks we learn in the news are persistent. So in that case we are only partially applying a risk management model and contributing to the business continuity.
2. Security and niche specialization. A Bank normally is not targeted with the same attacks as a Government. Nevertheless, when we break down security investments, percentages of dedicated investment per technology are very similar.
The Ponemon Institute says we take 7 months to discover the persistent attack. That makes blocking only the tip of the iceberg on security.
When protection does not guarantee 100% security and compromise probabilities are bigger, security concept must enlarge to resilience, in other words, the capacity to recover upon adversity and disaster.
It’s quite considerable the growth in technologies that build resilience, but it’s still too low to corporations to overcome naturally upon an attack. Insurance can be a short term medicine to calm pain but it will not heal.
Even if a company is not ISO certified, it’s basic to build contingency plans and plan assets recovery:
• What to do if we lose an asset? In what way we have our Company protected in the case that happens? If it’s a physical asset, can we rely in GPS technology? If it’s a document, can we rely in an IRM such as Sealpath?
• What to do if our data is lost, or we get a ransom attack? Do we have a good backup System to recover normal operations?
• What to do if we have a breach?
• And so on.
We should draw a detailed plan for recovery towards disasters and danger situations.
Planning security should include a very deep study on risk assessment and consequences balanced in pre-attack, attack and post-attack. You can see some consequences in the attached table.
If we define and quantify risk, it will be much easier to justify investments and reduce risks for business.
It seems quite clear that protection is not the only concept we should have when investing in security. Other concepts like detection, impacts mitigation, or build the cements to strength resilience to recover productivity faster are very important subjects. The concept of security is changing and it’s becoming more and more Securing the Business Continuity.
Joao.matos@biztheworld.com
Contact me and let’s discuss how we can improve your company resilience.