Roger A. Grimes recently wrote an excellent opinion piece for InfoWorld on how fear-driven responses lead to misaligned security preparedness. The No. 1 problem with computer security addresses the need for a data-driven security plan, one that focuses on real security threat information and not what is sensationalized in the news.
In the beginning of his article, Roger talks about how many organizations feel they are doing a lot to prevent data breaches, but in truth they are not actually doing the right things:
“In most environments, two attack vectors account for 99 percent of all successful attacks: unpatched software and social engineering. But instead of defending our environments in a risk-aligned way, we concentrate our efforts on almost everything else."
Roger posits that organizations are not aligning resources - money, labor, and time - against the threats that pose the greatest risk, often for a lack of understanding of specific threats faced by their organization, a poorly communicated understanding of those risks among all stakeholders and senior management, as well as a lack of co-ordinated response to these risks. Roger posits organizations often fear the “wrong things,” those getting a lot of press, instead of looking internally to understand which threats are most likely to have an impact.
In order to understand which threats are important, a data-driven defense plan would gather localized threat intelligence, rank risks, create and communicate a plan, and have a solid set of defences, reviewed periodically, to meet these threats. Although we talk about many reports on top threats, in the end each organization needs to internalize which of those threats have merit, based on localized data. The article gives some ideas on how to gather more useful data, including important questions you should ask to better understand why defences failed in the first place.
We believe the endpoint is consistently a weak point in enterprise security, particularly with employees moving data around and putting the network at risk from a variety of devices. When your own internal risk assessment identifies the endpoint as a risk point, contact Absolute to gain unparalleled visibility into your entire device ecosystem. Learn more at at Absolute.com