[By Neil Campbell]

The news that Sony has discovered an attack against its PlayStation Network servers, leading to the potential theft of the data of 77m users, sends a strong message to the business community. IT security risks are not theoretical: they are real and they happen all too regularly.

Organisations should continually monitor their IT infrastructure, not only for threats but for new approaches to managing threats.

Though little detail is available yet about the attack, organisations need to recognise that people can be both their strongest and the weakest link when it comes to IT security and continually invest in security awareness training, building strong and well-managed security processes, and backing up those processes with technology fail-safes wherever possible.

IT security risks are not theoretical, they are real. They are realised all too often and their impact is felt by both customers and the organisation involved. That said, there’s no such thing as perfect security and the security failures that are allowing these breaches to occur are due to a number of different factors.

One of the IT security industry’s core beliefs is that the only way to secure a computer properly is to turn it off and lock it in a vault. Anything else involves real risk. If we look at a simple risk management model, it involves listing the threats that face a given asset, then assigning a frequency (which determines the likelihood that a risk will be realised in a given period) and an impact (generally the financial impact).

This provides a risk score that can then be used to manage the risk appropriately in the context of the other risks and the resources and options available to manage them. If there is no frequency there is no risk. If there is no impact there is no risk.

Given the large number of data breaches that have occurred, this could point to a breakdown in one of three areas:

Organisations are misjudging the risk by failing to understand the frequency or the impact.
IT security is so fast-moving and complex that even with appropriate measures the controls are being rapidly invalidated.
There’s an inherent problem with the controls in the first place.

While the precise method by which the hacker broke into the systems has not been revealed, the answer will probably be found somewhere between the three. Although there’s no perfect answer, organisations should keep these three considerations in mind.

IT security risk is often underestimated. When budgets are tight, security can be cut without an immediately obvious impact on the deliverables. IT security is also a very fast-moving area involving what amounts to an arms race — the best illustration of which can be found in the struggle between zero-day exploits and patches. And there is indeed an inherent problem in the controls that are being applied: they generally rely upon people following processes, and that is one of the most difficult challenges to address.

Companies must accept that IT security risks are often realised and the impact can be huge, not only to the organisation itself but to customers who placed their trust in them. Although data breaches will continue to occur, the goal must be to reduce the frequency and impact of those breaches.