Heinz puts IT vulnerabilities on the business agenda

Food giant Heinz has said that vulnerability management in any company should be handled by the whole business and is not just an IT-department problem.

Share

Heinz has improved its risk management by treating IT vulnerabilities as a top-priority business issue, and is urging other firms to follow suit.

The food manufacturer, famous for its Baked Beans and soups, said it was reaping the benefits of treating data risks as a top management issue after observing that risk management often tended to be delegated to IT departments with potentially adverse affects.

Chris Leonard, European information security and compliance manager at Heinz, told an IDC security conference in London that executives outside IT departments should now engage with the problem.

“Vulnerability management is not just a technical problem, it’s a major issue for whole businesses. Research has shown that, for example, a Sasser worm attack could on its own cost an average large enterprise in the UK over £85,000," he said.

Leonard said firms should start with an assessment of what vulnerabilities they faced and what they needed to protect against most. “You need to have a multi-layered approach, starting with access control,” he told IT and security professionals at the conference.

Establishing and circulating a data security policy to all end users was the first step, he said. After that, he said it was worth properly tracking the security of business assets and scanning for known vulnerabilities.

But a range of different ways of fighting exploits was typically needed, he said.

These included intrusion detection systems at the network boundary, vulnerability scanning of operating systems and databases - for example using programs from vendors such as Microsoft, Qualys, Nessus or Application Security - statistical analysis, antivirus at the boundary and on each machine, and email scanning.

“You need to classify the risk of each vulnerability to your business, and mitigate the major ones first,” he advised.

“And you’ve got to proactively tackle new attacks that emerge, because patching known viruses is only part of tackling the problem.”

Now read:

'Trust no-one on the web' – security group

IT managers 'fearful' of remote workers

Gap contractor blamed for data breach

Chief security officers get IDC worry list

Now take part in our How Green is your IT? survey.

Find your next job with computerworld UK jobs