The importance of a multi-layered security policy that incorporates tools and equipment from a variety of manufacturers is best practice according to most security experts, and it makes sense. The more complex your defences are, the more barriers hackers need to break through in order to breach your systems. However a recent survey by Checkpoint shows that 42% of the 560 UK IT and infosecurity professionals stated that security complexity had itself become a significant security risk. Tom Davidson, UK Technical Director of Checkpoint, explained.
‘Even though organizations are concerned about securing their networks, and are deploying more products to deal with a growing range of threats, external attacks and internal incidents continue to increase. The complexity of networks, applications and security products is making it harder for IT teams to manage their security estates, which is leading to vulnerabilities not being addressed, and employees inadvertently causing breaches.’
So are organisations lacking the level of understanding or the work force capacity needed to be able to address every vulnerability found? Is the skills shortage of information security expertise the problem? Some tools and/or software can take hours to install and integrate and cause network issues of their own, furthermore security software just like any other can be susceptible to vulnerabilities and by attaching them to your network can create new holes. Therefore naturally as more tools are used more information security experts are needed to manage the results.
Furthermore the top 2 measured aimed at reducing risk of internal breaches from this report are setting up employee awareness programs and setting up clearly defined security policies for staff regarding data handling, however these are subjective terms. It is not enough to set up the policy and enforce it, the employees need to understand fully the implications of their actions on the business. Other measures include locking down USB ports on PCs and restricting employee’s use of social media and instant messaging. However the fact is that tech savvy employees can find ways around locking down of USB and employees can cause information security issues using social media sites outside the office just as easily if they don’t understand the implications of their actions.
More tools, more training and more information security staff all cost money. Therefore before investing in these, organisations should complete a comprehensive risk assessment that includes input from board level executives which 'should identify their critical network assets and data, and then enforce multi-layered threat prevention’ to these areas. What this survey shows however is that organisations must also make sure that they have enough expertise and resources to manage and assess this multi-layered prevention, otherwise it can be more of a hindrance than a help. At the most basic level your information security defenses should always be proportionate to the level of risk, however with more operations moving online, for most there is an increasing amount to lose.
Titania develop secure, easy to use security and compliance auditing tools that can be downloaded and installed in minutes and do not have to sit on your network. The NSA, FBI, DoD & U.S. Treasury already use them, so why not try it for free at www.titania.com