The traditional concept of having a perimeter to defend is rapidly losing all relevance. Today’s enterprise is effectively ‘borderless’; customers and suppliers transact from anywhere in the world, and previously siloed systems are converging on the core network. The shift of services (and data) into the cloud – or many clouds – adds further complexity to the security model. In a previous blog, we examined the new breed of threats that are infiltrating corporate networks, and how this has created a need for organisations to adopt a business-centric security model. What are the components of this model?
Organisations must foster a security conscious culture whereby every employee is aware of potential risks, such as malware propagated via email or saving corporate data to personal cloud services, such as Dropbox. This is particularly relevant for organisations that have a BYOD policy (and even more so for those that don’t and are therefore more likely to be at risk of shadow IT). According to a recent Deloitte survey, 70 per cent of organisations rate their employees’ lack of security awareness as an ‘average’ or ‘high’ vulnerability. Today’s tech-savvy employees are accessing the corporate network from all sorts of devices, so educating them around the potential risks is critical.
2. Policy and procedures
As we learned from the Target data breach, the best technologies are worthless without incident response processes in place. The key outcome of effective policy and procedures is the ability to adapt to evolving threats; that is, to incorporate changes to the threat landscape in a cost-effective manner.
Security controls deliver policy enforcement and provide hooks for delivering security information to visibility and response platforms. In today’s environment, business occurs across, inside and outside the office footprint, and infrastructure connectivity is increasing. As a result, controls for the environment need to extend to where the business operates. Key emergent security controls include:
- Uniform application security controls (on mobile, corporate and infrastructure platforms)
- Integrated systems for patch management
- Scalable environment segmentation (such as for PCI compliance)
- Enterprise Mobility Application Management for consumer devices
- Network architectures with Edge-to-Edge Encryption
4. Monitoring and management
A 24x7 monitoring and response capability is critical. While larger enterprises tend to build their own Security Operations Centres, the high cost of having staff around the clock and the need to find and retain skilled security resources is too costly for the medium enterprise. Moreover, according to Verizon Enterprise Solutions, companies only discover breaches through their own monitoring in 31 per cent of cases. An outsourced solution is the best option, as it enables organisations to employ sophisticated technologies and processes to detect security incidents, but in a cost-effective manner.
A shift in focus
It’s never been more critical for organisations to have a robust security strategy. But despite the growing number of high-profile data breaches, too much information security spending is dedicated to the prevention of attacks, and not enough is going into improving (or establishing) policies and procedures, controls and monitoring capabilities. A new approach to security is needed, where the focus is on securing information from the inside out, rather than protecting information from the outside in. There is still value in implementing endpoint security software as a preventative measure, but those steps now need to be part of a larger strategy that must address the fact that so much information is outside the corporate network.
For a more in-depth look at the fundamentals of securing an enterprise in today's threat landscape, download a complimentary copy our new how-to guide: 'Security in a world with no perimeters: A business-centric security architecture', by clicking here.