Anton Jacobsz, MD of Arbor Networks distributor Networks Unlimited, points out that failing to effectively protect the enterprise networks and data can literally bring a business to its knees. "Besides the obvious compliance issues, effective information security has a range of business benefits - not least of them significant cost savings," he says.
Jacobsz notes that most enterprise networks have already been compromised in some way, whether the enterprises are aware of it or not. In an environment in which attackers use myriad tools and techniques, with a variety of goals, 100% risk avoidance is virtually impossible, he says.
"The impact on a company when it falls victim to attack can be staggering. In cases where the business model depends on online trading, the losses per minute of site down time are easily measurable and can be huge. How do you recover loss of a day's trading, particularly if you are in a high turnover online business such as gaming, where losses can amount to millions in just a few hours? Less quantifiable are the costs to companies that do not trade online, but suffer a breach. There are costs in terms of recovery, which are usually far higher than the cost of putting an effective security strategy in place to prevent the attack in the first place. In addition, there are potential losses due to fraud, staff and customer confidence and brand reputation. The cost of not doing something is far higher than the cost of implementing a plan," he says.
Jacobsz highlights an example of a local company which had its system breached, allowing fraudsters to change banking details on a payment due, so diverting funds from the intended recipient. "This is far from an isolated incident, and can cause significant losses," he says.
A study sponsored by Arbor Networks and carried out by the Economist Intelligence Unit, entitled Cyber Incident Response: Are business leaders ready? has found remarkably low levels of preparedness among businesses.
The report, based on a survey of over 360 senior executives from around the world, found that only 17% of business executives say they feel fully prepared for a security breach, although three-quarters have suffered a cyber security breach of some kind in the past two years. 65% have created a formal incident response team to deal with those threats. Over 90% of respondents whose companies have an incident response plan or team in place feel prepared for a security incident, compared with only around a third of companies with no formal procedures in place. However, the report noted there was still significant room for improvement.
"Businesses must have a progressive, multi-layered plan across the entire enterprise, and this strategy has to continually evolve in line with constantly changing threats." He says security has to be proactive, security must be addressed at all levels, and security planning must be done by the CIO or CISO in collaboration with management.
"The plan needs to include steps to prevent breaches and the steps to be taken in the case of an incident. Reaction is almost more important than detection.
Organisations need to know specifics like: Who do I speak to, how do we react to minimise downtime and costs?" says Jacobsz.
A key part of the overall security strategy, which is often overlooked, is staff education, Jacobsz says. "There is an expectancy that everyone knows the risks, but often, they don't. Organisations need to cover all bases and educate staff on the basics, such as don't open suspicious files, and don't use unsecured WiFi networks.
They need to look at password controls, and remind people to log out after using their accounts. These are simple issues, but if these areas are not secured, the entire network is insecure."
With cyber threats posing a serious risk to every business and its revenue, any business not taking security seriously is putting itself at risk, says Jacobsz.
