Importantly, companies need to recognise that their historic focus on perimeter security has only limited value. What matters is not how deep the moat is, but the agility of your strategies to limit potential damage once an attacker has already breached the fort.

Identify hackers

Yet, Protiviti research shows more than 70 per cent of organisations have not implemented the types of tools that are needed crucially within the perimeter. These can include a range of technologies to impede or stall a hacker's progress, including encryption, effective access controls and intelligent monitoring techniques to highlight abnormal behaviour that can identify hackers at work "on the inside".

Companies can't protect everything, and a technology solution alone is never going to be enough. That's why a more effective approach to cyber-security requires taking an individualised, risk-based approach.

Thinking about what data the company holds and deciding what's important enough to warrant differentiated levels of protection is a critical part of the process. This needn't be a daunting task, because most organisations have a relatively small number of assets in the "crown jewels" category.

Grant Barker IT Managing Director at global consulting firm, Protiviti Steven Pam

These are assets that simply cannot afford to be lost, such as customer financial data or health records, and/or systems where an outage would be so commercially damaging as to be intolerable.

An understanding of your information assets enables you to allocate security resources to the data that matters most and thereby protect your organisation in a more intelligent and cost-effective way.


Fundamentally, taking a risk-based approach to cyber security is similar to how we normally think about protecting our homes. We might lock the doors and windows and install a burglar alarm but we accept that all this provides is a basic level of protection that might not be enough to keep out a tenacious intruder.

So we take out insurance to cover the risk that we might be broken into from time to time. We might even take additional measures to secure a handful of irreplaceable or sentimental valuables, such as cloud back-up of family photos or putting heirloom jewellery in a robust safe.

These types of targeted measures are practical and affordable. And they are proportionate to the risks we are prepared to take on different items.

It's a simple but fitting analogy that reflects exactly the mindset we should be applying to cyber security but unfortunately aren't. Sadly, far too many organisations continue to throw money at the problem, believing it's possible to lock down the perimeter and keep attackers out. Common sense should tell us that's not the answer.

Grant Barker is IT managing director at global consulting firm Protiviti