Security is a major concern among businesses – and rightly so, with the 2017 Thales Data Threat Report revealing that a whopping 68 percent of businesses had experienced a security breach, with 88 percent feeling vulnerable to them. But while almost three-quarters of businesses surveyed were increasing their security budget in order to combat threats, the size of the security budget is only part of the equation. Businesses cannot effectively manage security if they don’t know where to focus.
Misplaced Security Focus
New technologies and business practices introduce new security concerns, but security standards and compliance organizations can be slow to reflect this. Meanwhile, companies often prefer to continue spending on solutions which have been proven to work in the past – without realizing that security threats evolve over time, and past results are no guarantee of future performance.
A classic example of focusing on security efforts in the wrong place is in password management. A business may, for example, require that all employees use different passwords for each application they access, that those passwords must match formatting guidelines excluding dictionary words and including special characters, and that those passwords must be changed every 90 days. While this may work to ensure security at the password stage, a frustrated employee may forget passwords, and consequently, keep them on a post-it note by a computer monitor – rendering the complex password system incredibly insecure in practice.
Another example of misplaced security is when businesses no longer realize the boundaries of their perimeter. A business that has had prior luck in securing their networks, managing employee access via VPN, and limiting access to known devices may continue these strategies but ignore the impact of moving their data or business processes to the cloud. By choosing an insecure cloud provider, or not understanding how to work with the cloud provider to secure business resources, these companies may open themselves up to vulnerabilities even as they levy stricter protocols for network management.
Closing the Security Gap
The Thales study found that over half of businesses were turning toward newer applications, such as cloud technologies and smart devices, without having security tools in place to address them specifically. This gap may be explained by inexperience in IT teams, a focus on standards compliance when standards have not been revised to take new technologies into account, confusion about whose responsibility security is, or a lack of space in the security budget to address the concerns new technologies raise.
In order to remain secure, businesses must design their security budgets around real-world cases, rather than compliance, standardization, or best-practice lists. By examining the whole landscape of a company’s data and processes, a real security strategy can be formed.