What do you see as today's biggest information security threats?
Today’s biggest information security threats have not changed from yesterday or even last year. There are still attacks from organized groups, insider threats, intellectual property theft and the threat of a lone hacker. However I believe the largest problem is one of our own making, rather than that provided by the attacker. Companies are increasingly choosing to defend against security threats using the minimum security standards level dictated by one of the many compliance standards.
Compliance standards are important and do raise the base security level for those organizations that would otherwise not have a security policy in place. Non-compliance can also carry a significant financial or operational penalty within some industries, which means that organizations are highly motivated to achieve compliance. Additionally they provide mechanism for calculating a score, so that business leaders can see progress being made without having to see any of the detail. However compliance does not equal security; it only means you have met the specified standard.
To adequately fight the cyber war, security teams need to be versatile and adapt to new technologies and defend against the ever evolving arsenal that cyber criminals are able to deploy. To be compliant with a static set of security policy settings may be good enough for the risk managers, but it is simply not good enough to be secure.
This is not to say that compliance is a negative thing; it does mean that everyone is at least at a minimum security level. However I have often seen struggles within organizations to justify the expense of going further than those minimum levels, and as a result the biggest information security threat could be one that we have made for ourselves.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.