LATEST INTELLIGENCE
THE BUSINESS CASE FOR
LAYERED SECURITY
F
our per cent of revenue is a lot to sacrifice, particularly
in the current economic climate. Yet this is the
fine proposed in the EU General Data Protection
Regulation for companies failing to provide adequate IT
security to protect personal data. The legislation doesn’t
specify what those measures should be. It says they
need to be “appropriate to the risks”. The problem is the
nature of that risk is changing. In a survey of 700 IT and
IT security professionals by the Ponemon Institute, 69
per cent said they saw the severity of malware incidents
increase in the last year.
While web-born malware attacks are cited as the most
common threat (by 80 per cent of respondents), there was
significant growth in persistent targeted attacks (up from
50 to 65 per cent) and zero-day attacks, which exploit
unknown vulnerabilities (up from 32 to 46 per cent). This
increased risk does not only mean organisations could
breach EU legislation, which applies to anyone operating in
the political bloc.
Malware and associated cybercrime also threaten
companies’ revenue, internal efficiency, and brand
reputation. At the same time as threats are increasing,
budgets are not. In the Ponemon Institute study, only 45
per cent of respondents say their organisation’s IT security
budget is set to increase. As a result, current systems are
beginning to show the strain. The Verizon 2015 Data
Breach Investigations Report found:
• Vulnerabilities are taking too long to discover
• Known flaws are not being patched
• Security policies are not enforced or well-known
• End users are not being educated
• Encryption is missing or poorly implemented and there is
a lack of malware protection
What can you do?
Instead of employing discrete tools such as anti-virus
software, intrusion detection systems, and firewalls, it takes
an integrated approach to managing these technologies,
augmented with other techniques which include:
• Anti-attack software, which includes anti-exploit, anti-
spam and anti-phishing technology designed to disable
attacks before they are able to infiltrate the system
• Management of Internet-facing applications built on
Java and Flash, which leave the network vulnerable to
attack if they are not updated
• Anti-malware, which targets new threats, cleans
infections, and can detect undesired software preventing
it from spamming users or draining system resources
• Anti-ransomware, which identifies and blocks zero-day
ransomware before it can encrypt files using
specialised technology
• Management of network infrastructure, to ensure fully
updated and patched operating system software
But gaining approval for funding layered security can be
difficult, given existing budgetary constraints. IT security
teams need to build a structured and well-argued business
case to secure additional investment.
Bottom line
Whether trading with customers or suppliers, businesses
today are online by default. Cloud computing and
ubiquitous mobile devices are added dimensions that can
lead to vulnerabilities. Not only is the criminal community
more determined to exploit gaps in information security but
the reputational, financial and operational damage to the
victim is greater. Building a solid business case for layered
security will ensure the IT organisation gets the resources it
needs to better protect the business.
Download white papers free from www.intelligentcio.com/me/whitepapers/
www.intelligentcio.com
INTELLIGENTCIO
15