Every business is digital today. You are keeping track of your customers, recording their preferences, storing payment details to make future transactions easier, and gradually building up a vast store of information on past and present customers. That data is extremely valuable and creates a new era of risk.
In the past the standard approach might have been to appoint a security officer who would create security plans based on international standards such as ISO. Of course, this is better than not planning for security at all, but in such a fast moving environment it’s no longer enough to be reactive.
This report by Gartner makes a bold statement: “All organizations should now assume that they are in a state of continuous compromise. However, they may mistakenly believe that 100 percent prevention is possible. ”
This challenges two ideas the executives usually hold on security. First, that once you setup appropriate protection then the attacks will cease and second, that once you have protection in place, you are actually protected. Gartner believes that change is taking place so fast that the only way a business can now feel secure is to assume that your data is constantly under attack – there is no way today to feel that your business is 100% protected.
This moves on from the idea of firewalls and virus protection, all hardware or software-based prevention mechanisms, and acknowledges that modern hackers and criminals will always find a way past your best protection systems. The method Gartner proposes for protecting a 21st century business is to break the problem of security into four connected areas:
Predict; predict where attacks might occur, exposure analysis
Prevent; isolate important systems, divert attackers
Detect; detect and contain incidents, prioritize risk during attacks
Respond; forensic investigation and changes where needed
I like this fluid approach to the problem. We all know that millions of dollars of security can be circumnavigated by one employee on the inside with access to every password on the system, but the system itself needs to be smart enough to identify when something unusual is taking place – even if it is an authorised user undertaking the actions. The fabric of the system needs to be detecting and responding to threats from outside the organization and inside if it is to be really secure.
Our security team at Teleperformance takes a similar holistic approach to the security of our systems and those we operate on behalf of our clients. Check out some of the security blogs published here by our Chief Security Officer Bruce Wignall for more insight into our own approach: