The digital world is swarming with security perils. April’s Heartbleed Bug was just the latest in a long line of threats looming over individuals and businesses, and according to PwC’s Global Economic Crime Survey 2014, one in four surveyed businesses had experienced cybercrime, with 11 per cent of them hit with financial losses of more than US$1 million.
As in any walk of life, preventing such events is far more effective than dealing with them once they have occurred. And the first step in preventing a major breach is assessing the threat level and relative strength of your security.
There are numerous ways of measuring the strength of the different elements of your corporate security system, but they are largely based on the following three principles:
1) Evaluate the target: Take one element of your security system and establish its importance, determine how large and complex it is, how many potential ‘entry points’ the system might offer security threats and what types of threats you are likely to encounter. Larger complex systems are more difficult to secure as they are designed to be open. Centralized databases are, for the same reason, ideal targets for large-scale attacks.
2) Evaluate correctness and robustness: the second phase consists of comprehensive testing of the system. One part of the testing procedure looks at correctness, which observes the behaviour of the target under normal conditions and evaluates whether the system does what it is meant to do. The second looks at robustness, which evaluates how the system behaves under different conditions; for example, when exposed to faults or attacks.
3) Evaluate product security: by analysing the results of steps one and two, it is possible to evaluate how secure one particular element of your IT security infrastructure is. The ‘Common Criteria for Information Technology Security Evaluation’ work on a scale from one to seven, where one is fail and seven is excellent.
Evaluating all elements of your security infrastructure is important for the health of your corporate environment. It requires constant monitoring and frequent re-evaluation due to the threat landscape changing on a daily basis. In addition, there’s the question of who’s really liable when it comes to security?
Of course, most organisations don’t want it to reach that point, and this is why we focus on prevention rather than cure. At Gemalto, our team of experts in the Security Labs spend day after day trying to hack and break the very encryption codes they spent so much time and energy developing in the first place. Every year, we work with up to 30 corporations to audit and assess the security credentials of their products.
Only with extreme due diligence and persistence are we able to stay one step ahead of the next big threat to corporate security.