Firms need more focus on detecting IT attacks, event hears

The biggest information technology security challenge for companies is detecting and responding to threats, according to Rob Sadowski, director of marketing at security company RSA.

However, many businesses are still wrongly focused on outdated IT security tactics, trying to prevent attacks by using antivirus software and firewalls rather than aiming to detect inevitable intrusions and then prevent or contain damage, he said in an interview at the company’s annual RSA Security Conference in San Francisco.

“Defences are often built for yesterday’s IT,” he said.

“Companies are warming to that idea that it now isn’t if, but when, they will be attacked. But for that not to be a fatalistic point of view, what do you do?”

The goal is to have systems, and increasingly, well-trained IT specialists in the company that can recognise an attack when it is happening, and detect it as early as possible to limit loss, he said.

A recent survey of companies by RSA indicated three out of four organisations were “very dissatisfied with their ability to detect and investigate those threats,” Mr Sadowski said.

Detecting an attack

Fewer than 10 per cent felt they could detect a threat quickly enough, and nearly 90 per cent said they could not investigate threats quickly enough.

Another survey discussed at the conference indicated that it takes organisations on average, 210 days to detect an attack.

The size of an organisation doesn’t necessarily correlate to how attractive it is as a target to attackers, Mr Sadowski added.

“Sometimes smaller organisations say, why would they target me? But any size of organisation can have attractive assets,” he says.

People often think of stored credit card data as being an enticement for attacks, but many types of data are valuable to attackers, including intellectual property, personal information, details about partner companies, or sensitive medical or financial transaction data.

Law firms and hedge fund management companies are examples of organisations that might be small, but would hold valuable data on intellectual property, fund activity, share sales, or details on mergers and acquisitions, all attractive to attackers, he said.

Also, smaller firms sometimes fail to realise they may not themselves be the ultimate target of an attack.

Smaller company

“Often by an attack on a smaller company, [ATTACKERS]can get through to a larger, well-defended trusted partner,” Mr Sadowski said.

A common target is the people within a smaller firm, who might be spoofed into revealing information, or whose identity might be stolen, enabling attackers to access a larger target company’s systems.

Companies unknowingly can create points of exposure by opening up outside access to their websites for a greater variety of activities , or opening parts of their network to partner companies they collaborate with on product and service development.

As IT systems grow increasingly complex, an emerging challenge for organisations will be to find, and budget for, capable people for the organisation’s IT security team, he said.

Getting the people in place “is often the most difficult bit. Organisations may have the budget for technology, but not people.”