This week’s announcement by Sony that it had discovered a ‘non-gaming' attack against its PlayStation Network servers, leading to the potential theft of the data of some 77 million users, sends a strong message to the business community: IT security risks are not theoretical, they are real, and they are realised all-too-regularly.
According to Neil Campbell, Dimension Data’s General Manager - Security, Global, organisations should continually monitor their IT infrastructure and the IT security industry – not only for threats, but for new approaches to managing threats.
“In addition, while little detail is known about the attack, organisations need to recognise that people can be both their strongest and the weakest link when it comes to IT security, and continually invest in security awareness training, build strong and well managed security processes, and back up those processes with technology fail-safes wherever possible.
“IT security risks are not theoretical, they are real, they are realised all-too-regularly, and their impact is felt by both customers and the organisation involved. That said, there’s no such thing as perfect security, and the security failures that are allowing these breaches to occur are due to a number of different problems.
“One of the IT security industry’s core beliefs is that the only way to truly secure a computer is to turn it off and lock it in a vault. Anything else involves real risk. If we look at a simple risk management model it involves listing the threats that face a given asset, then assigning a frequency (which determines the likelihood that a risk will be realised in a given period) and an impact (generally the financial impact).
“This provides a risk score which can then be used to manage the risk appropriately in the context of the other risks and the resources and options available to manage them. If there is no frequency there is no risk. If there is no impact there is no risk,” explains Campbell.
Campbell believes that given the large number of data breaches that have occurred, this could point to a breakdown in one of three areas:
- organisations are misjudging the risk (by failing to understand the frequency or the impact); or
- IT security is so fast-moving and complex that even with appropriate measures the controls are being rapidly invalidated; or
- There’s an inherent problem with the controls in the first place.
While the precise method by which the hacker broke into the systems has not been revealed, Campbell believes the answer will probably be found somewhere between the three. “While there’s no perfect answer, organisations should keep these three considerations in mind.
“IT security risk is often underestimated. When budgets are tight, security can be cut without an immediately obvious impact on the deliverables. IT security is also a very fast-moving area involving what amounts to an arms race - the best illustration of which can be found in the struggle between zero-day exploits and patches. And there is indeed an inherent problem in the controls that are being applied: they generally rely upon people following processes, and that is one of the most difficult challenges to address.”
“Organisations must accept that IT security risks are often realised, and the impact can be massive – not only to the organisation itself, but to customers who placed their trust in them,” he says and points out that while data breaches will continue to occur, the goal is to reduce the frequency and impact of those breaches.