Organizations, security professionals and vendors are in a constant battle to keep up with an evolving environment of advanced threats and malware strains. It seems as soon as we catch up with the cyber criminals, they shift up a gear. At the recent Gartner Security and Risk Management Summit in London, Avecto grabbed a coffee with the renowned security blogger and independent analyst, Graham Cluley, to take a pulse check of enterprise security.
What do you believe are the biggest threats and challenges for organizations when it comes to IT security?
"I think the security threat which is most likely to be stopping members of the board from getting a good night's sleep is the risk of attackers breaching systems and stealing your data.
"Whether the stolen data is intellectual property, an email archive, or a database containing sensitive information about clients, the damage that can be done may not only tarnish the reputation of your organization (and prevent others from wanting to do business with you), but potentially result in the rolling of heads at the very top of the firm.
"Damaging data breaches can happen for a number of reasons - such as poorly configured security, rogue employees, or a failing of best practices such as strong encryption of data.
"But a common starting point for many breaches is malware, increasingly focussed on specific individuals inside your company in the form of a targeted attack. And with over 400,000 new samples of malware being seen every day you can't expect a single layer of anti-virus to prevent them all.
"The challenge, therefore, is to build a defense in depth approach, which allows your staff to continue to work effectively and successfully, while providing them with a strong defense against a seemingly ever-increasing barrage of attacks."
Where do companies start, what are the key things organizations can do to improve their security posture?
"My first recommendation is that you should find the weak points inside your company. Effectively that means "hack yourself, before someone hacks you". Think like a hacker and attempt to find the vulnerabilities in your processes and security infrastructure and - of course - then fix them!
"Hiring third party penetration testers can be a good idea if you don’t have the resources in house to do this, or if you are concerned that your own staff are "too close" to the coalface to see what's going on."
You touched on the value of defense in depth earlier, why is that such an effective approach?
"Defense in depth is a key part of the solution. You don't guard a prison with just one gate, you have multiple doors and locks so that if one fails to provide adequate security you can hopefully contain the situation.
"It's sensible to minimise the attack surface by reducing your users' exposure to a successful attack. That doesn't just mean running an anti-virus program, but considering whether your users really need admin rights and sandboxing executable code so if it does attempt something malicious, it cannot do any harm."
What lies ahead for enterprise security, what do you think are the future trends?
"It's hard to predict the future, particularly in computer security, because things change so quickly. What's surprising is just how many "old" threats continue to pose a significant problem - such as simple phishing emails for instance, which can continue to dupe unsuspecting users into handing their login credentials over to online criminals.
"Your staff will continue to present a weak point in your enterprise's security because they are (mostly) human, and any of us can make dumb mistakes from time to time. Regular refreshers about the importance of computer security can keep employees on your side, and encourage them to contact you if they spot anything unusual.
"One issue I would call out for particular attention, however, is the internet of things. Although many view IoT as a consumer issue, it will undoubtedly have an impact in the workplace as well - introduced often by your users.
"Internet-enabled devices, manufactured by companies who may not have a grounded history in information security and often built to a tight budget, will undoubtedly bring new threats into your organisation that you may not have considered before and - unlike your PCs - they could be particularly tricky to patch and secure."