Avoid a security breach: Nine things every CIO can focus on

Tait Communications CIO John Emerson discusses why security of information is a prime concern, and where to start to make a difference.

John Emerson, CIO for Tait Communications, says a security breach can impact an organisation at least four ways: Loss of reputation, customer or community trust, intellectual property theft, loss of investor confidence market share and revenue, and legal action.

Security is as much of a concern for shareholders as regulators, he says. “Ultimately though, it doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.”

He points out the case of a large Australian company that lost 20 percent of its market value within three days of a security breach being disclosed.

He lists nine areas CIOs can focus on to reduce the likelihood of this occurring in their respective organisations:

Mobile devices

Include work and personal devices, particularly if they operate on public networks, including TCP/IP.

People

Background check staff and ensure they participate in the development (or upgrade) of your security policy.

Land Mobile Radio (LMR) network

Include base stations, devices and software.

Other networks

Local area, wide area and the cloud; if these appear secure, pay an accredited organisation to try and break in to test it.

Vendor supply chain (products and services)

Ensure they have ISO 27001 certification.

It doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.

John Emerson, Tait Communications

Bring your own device (BYOD)

Policy and processes should be in place to protect and secure private data and applications.

Social media

This creates new opportunities for hackers even on a work device at home. Ensure this is covered in the security policy.

Physical security

Often overlooked, ensure processes around access logs, swipe cards etc, are stringent.

Software applications

When considering new applications for purchase, ensure they are secure.

Related: Expat CIO returns to pick up on Tait's 'innovation DNA'

John Emerson takes on the global CIO role at Tait after ICT leadership roles offshore.

Related:Global Information Security Survey 2014: On the defence

Are New Zealand organisations prepared for the constantly evolving information security threat landscape? How do they compare with their global counterparts?

2014 is the tipping point year of mobile malware

Read more: AT&T: The CIO security checklist

Money: The Root (kit) of cyber evil

Ammar Hindi, managing director, Asia Pacific for Sourcefire (now part of Cisco), talks about what networked organisations are up against – the industrialisation of cybercrime.

If anyone was in any doubt as to how lucrative the cybercrime industry is, one should look no further than the recent case in the US where a gang allegedly drained the cash from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries.

Regardless of the specifics of the situation, however, it has been clear for some years to those in cyber security is that cybercriminals are well motivated, well equipped and well-skilled to make huge amounts of money through their illegal activities.

Indeed, today's cybercriminal gangs are so well organised that often they buy "off the shelf" rootkits and software, which they use to carry out their activities. Often this software comes with manuals, 24/7 tech support and, in some extreme cases, advertising. They also use the internet to gather a "distribution" network around the world to deliver their attacks, either physically or online via botnets.

Of course losing cash is not the only risk companies face from cybercrime; many high profile attacks on major brands have seen their reputation and stock price damaged by breaches of sensitive information. And while many in the industry readily understand the risk, some at the board level in business seem to live in a kind of denial that it can happen to them.

Before we blame them for this oversight, however, maybe we should appreciate their situation. Year after year, they hear from analysts and observers how security is vital, and so they duly write cheques for the newest and best technology in security to protect their businesses.

But unfortunately in today's security world, writing cheques is not enough. Building up the walls and layering defences will stop some of the attacks, but such is the resourcefulness of the cybercriminals, they will still get in.

Today it is a matter of being able to track how a network was compromised; how the malware got in; where it went to once inside the organisation; and what it did - even if it did all of this days or weeks ago.

Security has changed and there is no silver bullet as many senior management staff have unfortunately discovered.

Related:Step up and engage the board about information security

Security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

Send news tips and comments to divina_paredes@idg.co.nz

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Join the CSO newsletter!

Error: Please check your email address.

Tags CIO100securityTait CommunicationsCIO roleJohn Emerson

More about 24/7CiscoCisco SecurityCisco SecurityEmersonFacebookISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CIO New Zealand

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place