Risk policy needs rethink

Firms should take a broader view when assessing their security needs, according to experts

Firms’ current risk analysis methods lack consistency and could harm their security policies and relationships with business partners, a leading security consultant warned last week.

Speaking at the SecureLondon event hosted by certifications organisation ISC2, Paul Hansford of Insight Consulting said that most firms fail to distinguish between threats and vulnerabilities, and sources and types of threats.

The BS 7799-3 standard goes some way to standardise risk-analysing practices, said Hansford. But he argued that a more definitive process and a formal risk assessor role are needed. “IT security or business risk managers do this job currently but it seems to me there are particular skills required to perform risk analysis, and that’s not reflected in the industry,” he said.

Also at the event, Howard Schmidt, president of R&H Security Consulting and former White House IT security advisor, warned firms they need to address a “new generation” of security weaknesses enabled by peer-to-peer (P2P) networks on the systems of third-party contractors and business partners.

“I’ve seen thousands of documents containing internal administrative passwords, which are now being shared throughout the world,” Schmidt warned. “P2P search strings we’ve identified show criminals are actively seeking these documents.”