As the threat from cyber-crime grows ever bigger, businesses need to focus their attention on their more valuable asset - information.

Businesses Not Protecting Data Gold Mine
BAE Systems Program Director Leigh Palmer walks past displays at the Leading Edge Network Operations and Security Center in Columbia, Maryland, May 24, 2010. (Credit: Reuters)

In the good old days, protecting your assets was all about making sure you have a big enough lock or thick enough walls. Today however the locks are digital and firewalls have replaced concrete as businesses seek to protect data from the prying eyes of cyber-criminals around the world.

Data is the new gold, as cyber-criminals look to steal everything from your identity to your credit card information. But they are not going after you directly, they are looking to pilfer this information from the companies you deal with online and who hold huge hoards of such information, all of which can potentially be accessed from anywhere in the world, simply by clicking a few buttons.

With such a valuable asset under their control, it would be expected that the security measures in place would be robust, but as Neil Thacker, Security Strategist at Websense says that the strategies being employed are simply not good enough.

"Trying to protect everything is not very strategic," Thacker told IBTimes UK adding that many companies are struggling to come to terms with the fact that all this data, essentially just a big string of 1s and 0s, is so valuable.

"It is very difficult to put a monetary value [on your customer data]. I'm surprised by how many [companies] struggle to identify [how valuable it is]."

Quick wins

While "big financial services [are] taking the lead" in relation to robustly protecting your data, as would be expected, Thacker agrees that it will take time for the importance of this to trickle down to businesses of all sizes.

Thacker believes in "quick wins" which allow those in charge to make major improvements to their security set-up with small and relatively inexpensive changes. However this is not happening, as companies are more focused on making sure they know what is going on than preventing it from happening.

"Companies are investing heavily in visibility" in order that they know the problems they are facing, but Thacker believes this is not the best use of resources, which are already stretched at the moment, and companies should be looking beyond visibility and looking at containment and mitigation too.

Thacker promotes active security protection rather than passive, where the inbound and outbound traffic on your company's network is monitored, so that you are able to spot trends and link behaviour which is seen as unusual or malicious.

Anonymous

Thacker said that a decade ago passive security was seen as outdated, yet today it remains a mainstay for many companies.

Thacker says that in the last two years, the visibility of the cyber-threats out there has increased significantly with cyber-espionage, hacktivists like Anonymous and cyber-criminals all becoming front-page news around the world.

No matter what size your company is, you will face multiple cyber-threats. Cyber-criminals will target anyone from a one-person start-up selling jam from their kitchen to multi-national corporations with tens of thousands of employees.

While the amount of data available from smaller businesses might be smaller than that available from big corporations, it is still valuable and almost certainly easier to obtain. While the larger corporations are likely to have much more robust security in place, the advent of social engineering means cyber-criminals can easily bypass most of the traditional measures which companies have in place, such as anti-virus software and firewalls.

Tailoring

Social engineering and spear phishing involve the cyber criminals targeting specific people within a company and tailoring emails specifically towards those people so they seem plausible and tempt them into clicking on a malicious link or download an infected document.

Thacker says that linking email and the web is the first step which needs to be taken in order to protect companies from this type of attack, but unfortunately it's still not common practice as enterprises try to catch up to criminals who have been given a major headstart in the cyber-crime war.

When Thacker was working as head of security in previous roles with Deutsche Bank and Camelot UK Lotteries, he knew that communication was key in order to keep on top of the threats that were out there. He held meetings every two weeks in order to discuss the latest threats amongst his team, but when he now goes to companies he is typically told such meetings take place once a year, simply in order to meet regulatory requirments.

Good start

The UK government recently launched its four-year Cyber Security Strategy which has pledged £650 million to help protect the critical infrastructures in the country. Thacker believes it is a "good start" but is waiting to see if the money will be spent in the right areas.

So far most of the initiatives announced by the government have been related to increasing visibility around cyber-crime, but Thacker believes the money should be spent on measures to actually prevent the cyber-crimes from happening now, and not just in the future.

Focusing on the data and building your security systems around is key for businesses, who has previous experience at the sharp end of cyber-security in his role as Information Security Administrator, Deutsche Bank.

The clue to the importance of the data is in the job title, as information is key and it is what the cyber criminals are ultimately after.

Thacker believes things will get better but is calling for a bigger focus on compliance standards around the protection of data, with the current system too focused on ensuring outdated measures like antivirus is in place.

Gold