By Graeme Zwart, Head of Security

A layered approach to security is the most effective. We provide the low-down on detective, responsive and recovery controls, in addition to preventative ones. 

“Prevention is better, simpler, cheaper and less painful than cure.” So says the educational leaflet from my dentist. While this may be true for avoiding gum and tooth decay, sadly for businesses and risk management professionals, the situation has moved beyond mere prevention.

Cybercrime, data and privacy breaches have become the new normal. It is as FBI Director Robert Mueller foresaw when speaking in March 2012.

“There are only two types of companies: those that have hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”  

If there is an inevitability about being hacked, any data security approach needs to consider detection, response and recovery in addition to prevention. After all, if every company is exposed to the same external threats, how it deals with these becomes the differentiating factor.

 

Detective controls

 Detective controls give you early warning of potential problems so you can act before total compromise of the asset. They include system monitoring, log aggregation and review, intrusion detection systems and anti-virus.

Having preventative controls in place is the right thing to do. But detective controls are perhaps faster to implement — and will work even if your preventative controls fail.

 

Responsive controls

 There’s no use lurching between the ostrich and headless chicken approach to a data security incident. One that ranges from head-in-the-sand denial to poor incident management. A slow response and lack of planning can cost companies dearly.

I’d recommend proactively securing the services of specialist resources in advance of a breach. Look on it as a type of insurance should the worst happen. Additionally, regularly work through simulated crisis exercises to improve the effectiveness of the incident response plan and the team behind it.

 

Recovery controls

 If there has been any type of failure, make sure you fail fast and learn from it. A post-mortem is an opportunity to review, remediate and report.

Establish exactly what went wrong and whether you could have done anything to prevent it. Did you have the right tools and resources to hand? Did you prioritise effectively? If contracted third parties were involved, discuss the issues with them. Are changes to the contract and/or remedial training required?

Good security is a process not a one-off activity. So, if you can’t be wise before the event, at least be wise afterwards.

For a consultation on your payment security needs, please complete the contact form below.