Reducing cyber risk ‘not just about buying the latest security tools,’ Deloitte advises

Organizations can improved information technology security by having staff respond to simulated attacks and by improving access control, Deloitte & Touche LLP suggested in a report on cyber risk.

“Cyber war-gaming exercises reveal common issues that cause delays in responding as rapidly and effectively as a real crisis situation would warrant,” Deloitte stated in the report, Changing the Game on Cyber Risk.

Those issues include groups who operate in “silos” and therefore “face challenges in coming to agreement on the relative severity of an incident, and therefore of the key actions needed.” Other issues include lack of understanding of roles and responsibilities and failure to obtain forensic evidence in the event of an attack.

“Improving security is not always about spending more money — and it’s also not just about buying the latest security tools,” Deloitte stated, suggesting organizations can reduce risk by tracking their data.

“Many organizations don’t know where their sensitive data actually resides,” according to the report. “It’s probably sitting in more places than you think – both inside and outside your organization – being viewed and shared by more people than necessary. Effort should be taken to streamline and control access wherever possible.”

Organizations also need to manage their information security assets.

“Large organizations generate enormous change on a daily basis — new users, new devices, new applications, and supporting changes to the underlying infrastructure,” Deloitte warned. “If security controls are not adjusted to keep pace, you’re likely to create gaping holes that can leave your organization exposed for days, months – or even years.”

But IT assets are not isolated, Deloitte added.

“They’re part of larger services and transaction chains, so it’s essential to address weak points along the end-to-end business process, with the awareness that insiders, vendors and trusted partners at any point can be the source of errors or intentional actions that open the door to incidents.”