Avoid a security breach: Nine things every CIO can focus on
- — 03 February, 2014 05:00
John Emerson, CIO for Tait Communications, says a security breach can impact an organisation at least four ways: Loss of reputation, customer or community trust, intellectual property theft, loss of investor confidence market share and revenue, and legal action.
Security is as much of a concern for shareholders as regulators, he says. “Ultimately though, it doesn’t matter how a hacker gets in. Once they are inside, the damage could be substantial.”
He points out the case of a large Australian company that lost 20 percent of its market value within three days of a security breach being disclosed.
He lists nine areas CIOs can focus on to reduce the likelihood of this occurring in their respective organisations:
Include work and personal devices, particularly if they operate on public networks, including TCP/IP.
Background check staff and ensure they participate in the development (or upgrade) of your security policy.
Land Mobile Radio (LMR) network
Include base stations, devices and software.
Local area, wide area and the cloud; if these appear secure, pay an accredited organisation to try and break in to test it.
Vendor supply chain (products and services)
Ensure they have ISO 27001 certification.
Bring your own device (BYOD)
Policy and processes should be in place to protect and secure private data and applications.
This creates new opportunities for hackers even on a work device at home. Ensure this is covered in the security policy.
Often overlooked, ensure processes around access logs, swipe cards etc, are stringent.
When considering new applications for purchase, ensure they are secure.
John Emerson takes on the global CIO role at Tait after ICT leadership roles offshore.
Are New Zealand organisations prepared for the constantly evolving information security threat landscape? How do they compare with their global counterparts?
Money: The Root (kit) of cyber evil
Ammar Hindi, managing director, Asia Pacific for Sourcefire (now part of Cisco), talks about what networked organisations are up against – the industrialisation of cybercrime.
If anyone was in any doubt as to how lucrative the cybercrime industry is, one should look no further than the recent case in the US where a gang allegedly drained the cash from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries.
Regardless of the specifics of the situation, however, it has been clear for some years to those in cyber security is that cybercriminals are well motivated, well equipped and well-skilled to make huge amounts of money through their illegal activities.
Indeed, today's cybercriminal gangs are so well organised that often they buy "off the shelf" rootkits and software, which they use to carry out their activities. Often this software comes with manuals, 24/7 tech support and, in some extreme cases, advertising. They also use the internet to gather a "distribution" network around the world to deliver their attacks, either physically or online via botnets.
Of course losing cash is not the only risk companies face from cybercrime; many high profile attacks on major brands have seen their reputation and stock price damaged by breaches of sensitive information. And while many in the industry readily understand the risk, some at the board level in business seem to live in a kind of denial that it can happen to them.
Before we blame them for this oversight, however, maybe we should appreciate their situation. Year after year, they hear from analysts and observers how security is vital, and so they duly write cheques for the newest and best technology in security to protect their businesses.
But unfortunately in today's security world, writing cheques is not enough. Building up the walls and layering defences will stop some of the attacks, but such is the resourcefulness of the cybercriminals, they will still get in.
Today it is a matter of being able to track how a network was compromised; how the malware got in; where it went to once inside the organisation; and what it did - even if it did all of this days or weeks ago.
Security has changed and there is no silver bullet as many senior management staff have unfortunately discovered.
Security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.
Send news tips and comments to firstname.lastname@example.org
Follow CIO New Zealand on Twitter:@cio_nz