mailing list archives
You WILL be Hacked – Cope With It
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 20 Nov 2013 23:29:49 -0700
The Institute of Chartered Accountants England and Wales has confirmed what
the security industry has long been saying: it is impossible to prevent all
breaches so companies should use a risk management approach to defend what
the ICAEW calls the 'crown jewels.'
The ICAEW is a professional membership organization with more than 140,000
chartered accountant members around the world. A new report published
today, 'Audit Insights, Cyber Security', shares for the first time the
insights and experience garnered by its members' wealth of practice in
company audits – with specific reference to cybersecurity. It concludes,
very clearly, exactly what the security industry has been warning: hacks
happen and can't be wholly prevented. The best solution is to take a risk
management approach, and put extra effort into protecting the most
important information assets.
The report actually goes a bit further. Since companies must assume that
their systems will be compromised, a new mindset should be adopted. "For
example," it says, "some degree of security breach has to be tolerated as
an unavoidable part of doing business in a digital world. Businesses
increasingly need to promote operational resilience and prioritize
activities which deal with breaches, such as intelligence and monitoring,
detection and response."
This doesn't mean that 'defense' should be completely abandoned in favor of
'response', but that companies need to prioritize their defense. They
should "focus their resources on their ‘crown jewels’. This enables a more
sophisticated risk-based approach to security which balances the benefits
and costs of security measures, and identifies where security breaches
would have a substantial impact on the competitiveness and sustainability
of the business."
Launching the report, Claire Reid, IT audit partner at PwC and ICAEW Audit
Insights working group member, explained, “Businesses need to expand the
focus of their security activities in response to the changing environment.
This report outlines a number of recommendations for boards to review their
cyber strategy and improve security practices."
She also outlined one of the dangers in failing to achieve this.
"Furthermore," she added, "governments are increasingly interested in the
ability of businesses to protect themselves and their wider supply chains
against cyber-attacks. Given the importance of the growing digital economy,
the impact of continuing security failures on individual businesses may be
significant. Government interest in this area is likely to grow, especially
if breaches and losses continue to rise.”
The danger inherent in increasing government intervention is described
within the report. "Effective regulation is challenging, given the speed of
technological and business change, and there are inherent risks of
unintended consequences around greater regulatory activity." The best
defense against increasing unintended consequences is for business to
improve its security without requiring that regulatory intervention.
But the scale of the problem facing business is also highlighted by the
report, with companies failing to to get the basics right. "While
management usually have good intentions to make improvements, this is
rarely translated into effective action." ICAEW suggests that for large
companies the primary problem is the sheer size and complexity of the IT
installations; while for smaller companies it is "a lack of skills,
resources and prioritization."
The main solution, says ICAEW, is another change of mindset. Cybersecurity
must change from being a technical issue to a business strategy. "In order
to manage cyber risks effectively, businesses need to approach them as an
integral part of business strategy and operations, not as a technical or
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- You WILL be Hacked – Cope With It Audrey McNeil (Nov 26)