VAR Panchayat

How prepared are organizations?

by VARINDIA 2017-04-27

Companies give low security priority to employees and non-technology areas as they strongly believe they trust the organization

Organizations mostly lack a security culture as the priority is business and not security. A combination of process, accountability and technology is required to address any issue, but organizations deviate from this when it comes to securing information and make three flawed assumptions.

First, information is just digital data. Second, technology can secure data. Third, ISO 27001 or PCI DSS certification is good enough.

However, criminals will use every potential opportunity at their disposal, right from implanting an employee, studying the entire process to identify gaps, assessing documents, social engineering, etc to get what they want. Companies give low security priority to employees and nontechnology areas as they strongly believe they trust the organization. For instance, when an employee joins an organization, he/she is given logical and physical access. How many companies monitor what he/she is doing with this access? How do we know he/she is not facilitating cybercrime? The other vulnerability is the gaps in the process. We know that a top-down audit of processes will not reveal process integration gaps that hackers manipulate. Unless organizations start looking at horizontal scanning, the situation might not change at all.

Certificate of ignorance

Companies always focus on getting and maintaining ISO 27001 or PCI DSS compliance certification. These standards normally focus on detected manifestation of breach in the IT systems, ignoring the root causes. Certification is necessary, but it is not sufficient. Even audits never reveal the true state as departments get time to prepare for it. Company leaders feel contended when the auditor gives a positive report, but they need to realize that they are fooling none other than themselves. They eventually pay a huge price, as it leads to an impact due to the flaws in the approach.

While we boast of high-end technology implementations, let us internally look at the capability and training provided to people who monitor the system. In most cases, the information security team is understaffed and undertrained. We know we can't fight a war with an army without ammunition.

Legal vs Eagle

Also, let us not put too much store by legal recourse. Cybercrimes are executed from beyond national borders. Dealing with them effectively requires greater efforts to collect information and

mobilize human resources.

Even if we decide to adopt this approach, it is possible that we will draw a blank as bureaucratic delays provide attackers the opportunity to erase footprints. So, company leaders need to tell themselves the following. The IT capability of criminals is far ahead of IT capability of companies. Companies can only hope to increase deterrence and reduce the lag in detection.

Crime de la Crime

To counter cybercrime, CXOs need to think like criminals. Once we adopt a criminal's mindset, we will figure out inherent and not-so-obvious gaps in the system, rather than being satisfied with a certificate of compliance.

The objective is to go through the information ecosystem comprising people, process and technology and test each touch point with the objective of finding a weak spot. Once this is done, the potential damage to business will become apparent. Then, business leaders will appreciate the need for a pragmatic approach to securing data and processes. Every corporate in the world, irrespective of its size, must adopt this method at the earliest. Otherwise, I believe, it is only a matter of time before more and more organizations become victims of cybercrimes.