Businesses and their security teams should focus on protecting their ‘crown jewels’ rather than the entire castle, according to a panel of leading security professionals.
Dragan Pendic, former chief security architect at drinks company Diageo, explained at the Computing Enterprise Security and Risk Management event in London that firms should focus on protecting what they know is important, rather than second-guessing attackers’ motives.
“We need to understand what it is we are trying to protect and that has to be seen in the sense of protecting assets, rather than trying to figure out what [attackers] are aiming for,” he said.
Steve Watt, CIO at the University of St Andrews, agreed that it is far better to keep the most important data secure, rather than trying to protecting everything across an entire network.
“You need to identify your critical information, your crown jewels, and protect that, rather than trying to protect every single end-point device,” he said.
“We have students now bringing four, five devices and connecting and it’s been like this for maybe 10 to 20 years, so we’ve had BYOD in our environment for some time.
“The challenge is we don’t know these devices, so it’s about how we protect the data assets that need protecting.”
Dean Atkinson, global head of cyber security operations at travel firm Thomas Cook Group, added that, while data such as board papers, financial results or credit card data obviously needs protecting, it is also important to consider what else the company stores that could pose a risk.
“You have to help the business to identify what is important and I approach that in two ways with two questions: what would hurt us if it was lost, and what do you have that can make someone rich?” he said.
“It comes down to what are your key assets, where does it sit, how is it being stored and shared.”
The panel also said they are seeing increasing awareness among C-level executives that security requires a major focus as so many high-profile breaches hit the headlines.
“In the past, IT teams knew the vulnerabilities and the damage they could cause but there was no threat actor, so the board didn’t take the risk seriously,” said Andy Boura, senior information security architect at Thomson Reuters.
“Now, though, the threat actors are targeting organisations with mass attacks, which means the threat matches the risk. So that has raised awareness among businesses.”
Atkinson from Thomas Cook agreed with this but said that financial issues can still stop the necessary action being taken.
“It’s easy for the chief financial officer to say [to security teams]: ‘This is too complex. Come back next month’ even if they get the risk. But they need to understand that they need to invest to mitigate that risk.”