Consciously or unconsciously, companies are still using the Pareto Principle to secure their organization’s IT infrastructure, focusing their efforts and budget on the security gaps affecting 80% of the organisation and leaving the remaining 20% of the organisation vulnerable to attack. This 20% is often found in legacy systems too complicated or costly to secure or to upgrade, so they are ignored.
Sometimes it is 20% of the staff, typically the executives who prefer comfort to security and open themselves to things like whaling attacks. On the flip side, hackers also apply the 80/20 rule, fine tuning their efforts to specifically target that 20% that companies fail to secure to produce 80% of their results.
“Simply put, that 20% that companies fail to secure is where hackers place 80% of their efforts. They do their homework. They know where companies are vulnerable and that is what they focus on,” says Willie Stebbing, an IT expert at IT security services vendor, Securicom.
The company’s Richard Broeke agrees saying that with intensifying focus on newer threats, companies are no longer paying attention to the basics – like antivirus and anti-spyware on endpoints.
“IT departments are focused on other newer and more ‘important’ threats, like those which impact the network. With 80% of threat mitigation efforts focused elsewhere, the endpoint a security blind spot and all the ‘old’ risks, which may only account for 20% of risks, are being neglected.”
Stebbing says that minding the “Pareto Principle gap” requires regular assessment of all systems to identify vulnerabilities.
“Vulnerability assessments are an eye opener. Specialised vulnerability assessments test for gaps and vulnerabilities in the environment. It’s like looking at the IT architecture through the eyes of a hacker to see where gaps and loopholes could be used to compromise it. Only once you know where the weaknesses are can you begin to close the ‘holes’.
“Companies are often surprised to find out where they have ‘holes’; their own employees for instance. We also find that companies with premium firewall protection in place are at risk because the firewalls are not configured correctly. They only discover the shortfall after an audit,” says Stebbing.
He concludes: “It is extremely important that all software in your IT environment gets assessed and updated on a regular basis. Install software patches promptly, monitor networks for suspicious activity, and monitor and quarantine devices that show unusual behaviour.”