Avoid a security breach: Nine things every CIO can focus on

Tait Communications CIO John Emerson discusses why security of information is a prime concern, and where to start to make a difference.

None
John Emerson, CIO for Tait Communications, says a security breach can impact an organisation at least four ways: Loss of reputation, customer or community trust, intellectual property theft, loss of investor confidence market share and revenue, and legal action.

Security is as much of a concern for shareholders as regulators, he says. “Ultimately though, it doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.”

He points out the case of a large Australian company that lost 20 percent of its market value within three days of a security breach being disclosed.

He lists nine areas CIOs can focus on to reduce the likelihood of this occurring in their respective organisations:

Mobile devices

Include work and personal devices, particularly if they operate on public networks, including TCP/IP.

People

Background check staff and ensure they participate in the development (or upgrade) of your security policy.

Land Mobile Radio (LMR) network

Include base stations, devices and software.

Other networks

Local area, wide area and the cloud; if these appear secure, pay an accredited organisation to try and break in to test it.

Vendor supply chain (products and services)

Ensure they have ISO 27001 certification.

It doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.

John Emerson, Tait Communications

Bring your own device (BYOD)

Policy and processes should be in place to protect and secure private data and applications.

Social media

This creates new opportunities for hackers even on a work device at home. Ensure this is covered in the security policy.

Physical security

Often overlooked, ensure processes around access logs, swipe cards etc, are stringent.

Software applications

When considering new applications for purchase, ensure they are secure.

Related: Expat CIO returns to pick up on Tait's 'innovation DNA'

John Emerson takes on the global CIO role at Tait after ICT leadership roles offshore.

Related:Global Information Security Survey 2014: On the defence

Are New Zealand organisations prepared for the constantly evolving information security threat landscape? How do they compare with their global counterparts?

2014 is the tipping point year of mobile malware

Money: The Root (kit) of cyber evil

Ammar Hindi, managing director, Asia Pacific for Sourcefire (now part of Cisco), talks about what networked organisations are up against – the industrialisation of cybercrime.

If anyone was in any doubt as to how lucrative the cybercrime industry is, one should look no further than the recent case in the US where a gang allegedly drained the cash from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries.

Regardless of the specifics of the situation, however, it has been clear for some years to those in cyber security is that cybercriminals are well motivated, well equipped and well-skilled to make huge amounts of money through their illegal activities.

Indeed, today's cybercriminal gangs are so well organised that often they buy "off the shelf" rootkits and software, which they use to carry out their activities. Often this software comes with manuals, 24/7 tech support and, in some extreme cases, advertising. They also use the internet to gather a "distribution" network around the world to deliver their attacks, either physically or online via botnets.

None

Of course losing cash is not the only risk companies face from cybercrime; many high profile attacks on major brands have seen their reputation and stock price damaged by breaches of sensitive information. And while many in the industry readily understand the risk, some at the board level in business seem to live in a kind of denial that it can happen to them.

Before we blame them for this oversight, however, maybe we should appreciate their situation. Year after year, they hear from analysts and observers how security is vital, and so they duly write cheques for the newest and best technology in security to protect their businesses.

But unfortunately in today's security world, writing cheques is not enough. Building up the walls and layering defences will stop some of the attacks, but such is the resourcefulness of the cybercriminals, they will still get in.

Today it is a matter of being able to track how a network was compromised; how the malware got in; where it went to once inside the organisation; and what it did - even if it did all of this days or weeks ago.

Security has changed and there is no silver bullet as many senior management staff have unfortunately discovered.

Related:Step up and engage the board about information security

Security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

Send news tips and comments to divina_paredes@idg.co.nz

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Tags CIO100securityCIO roleTait CommunicationsJohn Emerson

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Management Solutions

Endpoint Security Management

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.