Three layers of security: crucial for business
All businesses should take a holistic approach to security. They should have security strategies and policies in place that are impact driven, threat informed and vulnerability focused, ensuring that all three disciplines of security, i.e. physical, personnel and information are given equal priority.
Phillips, founder and MD of the International Protect and Prepare Security Office (IPPSO), said that his work in security consulting and penetration testing indicates that most businesses are vulnerable in some areas.
"In physical penetration testing exercises, I am usually able to walk right into business premises without proper authorisation, and I frequently manage to get my hands on sensitive data," he said. "People leave chequebooks and spreadsheets on desks and in drawers. In one case, I was able to walk around a bank building taking photos of all their loan accounts, in front of people."
Phillips notes that few companies pay equal attention to all three areas of security. "But if they focus on one area and neglect the others, their overall security is still compromised."
UK examples
He cited examples of cases in the UK recently, in which banks had focused on their IT security, but these measures were breached when fraudsters walked into bank premises and attached keystroke loggers to the PCs in the branches.
A major security threat that enterprises tend to overlook, he said, is the insider threat. "People pose the biggest risk to enterprise security. Too often, risk assessments are not carried out on all staff. "Enterprises may do background checks on new executives, but do they know the backgrounds of security and cleaning staff, who may be outsourced service providers and who can have free access throughout the premises?
"You may find that new members of staff are given full access to enterprise data before in-depth background checks are carried out. In some cases, existing employees may be paid or threatened by crime syndicates to seek out certain data. Now, cybercrime is a fast-growing, lucrative and highly organised activity - enterprises cannot be too careful," he said.
Important HR role
HR can play an important role in the overall enterprise security strategy, said Phillips. "HR needs to conduct thorough background checks on all employees, run risk assessments, and be alert to suspicious behaviour." This behaviour might include apparently innocuous activities, such as often working late.
In a new threat environment, management needs to play the biggest role in co-ordinating and monitoring a security strategy that encompasses physical, cyber and personnel security, Phillips said. "Now, security needs to be approached in a holistic manner and driven from board level, because the risks to business now extend beyond financial losses to reputational damage that could cripple a business."
Phillips will discuss security strategies, cybercrime trends and the growing threat of cyber warfare in a presentation at the forthcoming African CSO Summit to be held at Montecasino, Johannesburg on 27 March 2014.
For more, go to: www.csosummit.co.za