Consolidation, education are key to IT security
No matter how strong a company’s security is, a single employee mistake can let a cyber threat in says McAfee
No-one can guarantee complete protection from a zero-day attack, according to Bahaa Hudairi, senior security consultant Middle East at McAfee, there are solutions that can help protect you, but nothing is 100% secure.
Hudairi said that the solution to having strong protection is to consolidate your security equipment and buy from just one or two vendors.
"The key thing is not to have a million solutions, with multiple vendors, this can hinder the business and this is not the objective. To respond as quickly as possible to this incident you need a simple solution," he said.
Recent high profile attacks on organisations in the region have been successful because of a lack of integration between different security systems, and no correlation of events. This was why that attack was successful said Hudairi. Attackers were also using tactics such as launching attacks at the weekend, when they are less likely to be detected, and when incident teams may not be immediately ready to take action.
According to McAfee, zero day attacks, targeted attacks, APTs are not really that smart or sophisticated, but they have been written specifically to target an organisation and the key to the malware's success is the company's slow response, and not knowing what to do when they get attacked, who to contact and what actions to take.
No matter how strong an enterprises security is, there is one thing that can let your system down and that is your employees.
"The big scandal in New Zealand at the moment is a data leak from a government ministry dealing with information relating to earthquake claims - after the recent earthquake - and this Xcel spreadsheet containing all these names of people, addresses, the amounts the government has agreed to pay out to them, was mistakenly emailed out, because the person who was sending it used auto-complete for the email address. This is a massive data leak of very sensitive information, but at the end of the day it was because some guy did a normal human error," said Nick O'Connell, senior associate at Al Tamimi and Co.
The education aspect of IT security is highly important and password security and knowledge about not opening emails from strange senders or opening attachments should be taught both at high school and at university level according to McAfee.
"Last week I bought an IP camera for my home and I went and got the CD to install the software. The software had a virus. So this is shipped out to everyone that buys this camera and these are IP cameras, so whoever gets this is being monitored, and it has voice, so it can record, so you have a full surveillance system in your house that someone else is monitoring, had I not had proper security on the PC that I was using then I would have uploaded the virus," said Hudairi.
Companies also need to have strict policies as to who can access what information. At the end of the day top management are the owners of the business and it is their responsibility to make sure security is in place.