BlackBerry's James McDowell urges businesses to get the basics right first

Organisations need to closely examine their underlying IT security plans before implementing sophisticated solutions.

That is the advice of James McDowell, director of cybersecurity at BlackBerry, speaking at last week's Computing IT Leaders' Summit, where the Computing IT Leaders 100 was also unveiled.
"You would be surprised at the number of organisations we go into that are talking about some fairly sophisticated security automation involving prevention and detection, but it isn't underpinned by a fundamentally robust security plan," warned McDowell.

He pointed to the WannaCry and NotPetya malware outbreaks last year that took advantage of security flaws in Windows software that had been patched several months earlier - the affected organisations simply hadn't patched their systems, yet should have had processes in places to ensure that patches are applied quickly, as a matter of priority.

"Once you have got the foundation in place you can then start to build out more sophisticated mitigation strategies," continued McDowell, adding that when the company pumped out a 'how to build a basic cyber security plan' webinar it had four times the number of registrations that it normally gets for such events.

Furthermore, added McDowell, such a foundation ought to enable the organisation to cut costs by avoiding investments that will add little to its security.

"Companies tend to think that they have an idea where the threats come from [and invest accordingly] but nine times out of 10 they are investing money in areas we [as a security consulting organisation] don't think they should be investing in," said McDowell.

Any security strategy should start with the most critical assets and work its way, but in practice that doesn't seem to happen, he warns. On top of that GDPR will very soon put a high price on data security - organisations can expect their data to be ransomed at a discount to the fines the Information Commissioner's Office (ICO) might be expected to levy, he added.

Likewise, if data really is the new oil it's not about being ready for 25 May 2018, but enabling the organisation to make best use of the data it has - while achieving GDPR compliance at the same time.
"For too long our industry has talked about cyber security in terms of ‘fear'," said McDowell. "I think that's wrong and I think we need to focus on the benefits that a good cyber security policy can bring."