Why information security is everybody's business.
That's confirmed by Jon McGettigan, Wellington-based country manager of Fortinet New Zealand. "In an ideal world, security should be everyone's business. However, the world isn't ideal, so businesses should put in measures for those employees who don't observe sound security practices and procedures," he says.
US-based Kevin Kalinich, Aon's Global Practice Leader--Cyber & Network Security Risks, concurs. "To date, the issue [of network security and privacy] has been seen as 'IT's problem' or something for the 'techies' to worry about, but this is a mistaken view that has long had its day Board, directorial and other governance-related responsibilities land the issue of security squarely at the feet of an organisation's senior executives."
The Gordian knot is the stuff of ancient legend; tied by the gods, it was incredibly complex and couldn't be unravelled (demonstrating the sort of lateral thinking for which internet malfeasants are renowned, Alexander the Great solved the problem by slicing it asunder with his sword). Today's Gordian knot is the complexity of IT systems, agrees McGettigan, as well as the fact that every system in an IT stack is designed by humans, and humans are fallible. "Yes, that's true, and also why you will never have 100 percent security," he says.
Meanwhile, pity poor Sisyphus: punished by the Greek gods for chronic deceitfulness, his eternal task was to roll an immense boulder up a hill, only to watch it roll back down, repeating the action forever. Information security is a little like this: despite all efforts, nothing is ever really secure and the task requires constant effort and attention.
That's confirmed by Wellington-based PwC Partner and Cyber Practice Leader Adrian van Hest. "Cyber risks will never be completely eliminated, so organisations need to understand that the ever changing nature demands a fairly dynamic and proactive approach," he notes.
It takes five minutes with Google to confirm Kalinich's view; major corporate security failures land in the lap of the CEO, not the IT department. That's precisely what happened in the aftermath of what's being called the biggest retail hack in United States history. When 40 million Target customer credit cards made their way to Russia, it was the CEO who had to respond. And it was the company which suffered, with more than 90 lawsuits filed against it by customers and banks for negligence and compensatory damages, and a 46 percent drop in profit over the 2013 holiday season.
INSECURE BY DESIGN?
You'd be forgiven for thinking the information technology industry is a complete and utter shambles, at least where security is concerned. After all, when Bloomberg Businessweek has headlines like 'Another Day, Another Retailer in a Massive Credit Card Breach', which demonstrates 'security fatigue' while giving a nod to the constant supply of stories of cyber weaknesses, information breaches, insecure software systems and compromised data.
Sydney-based partner at law firm DLA Piper, Alec Christie puts it into perspective; "Despite a company's best endeavours, data breaches are more a question of when and how, rather than if. Cyber-attacks (including theft, fraud, sabotage, espionage and hacking) are becoming increasingly prevalent and sophisticated," he says.
But John Emerson, global CIO at Christchurch-based global company Tait Communications says the biggest security risk isn't IT systems at all, but the people who work with them. "As a result, our approach to security is largely a cultural one where HR works with the business to make security a part of everyone's job," he says.
As a company which provides secure communication to utilities including law enforcement, Emerson says Tait's own security has to be 'pristine',
and indeed, it is well down the track of achieving IS027001 (the standard for information security management) compliance. "Security is an issue which goes up to and including the board; as organisations go more digital, you have to be clear about in-depth security --and as a company which uses the cloud extensively, this is one of the drivers for certification. The cloud represents a recognition that security is not optional, but has to be part of the design of business systems, as well as products and services," he notes.
And while information security may at first glance appear to be a bewildering and indeed Sisyphean challenge for the average small to medium business, PwC's van Hest says that doesn't have to be the case.
Instead, he says stick to what you know, rather than speculating on what you cannot. "No business knows every attack and every vulnerability it faces.
What you can determine, however, is what information is important to you and then take appropriate precautions to protect it. That's the difference between tackling information security from a position of knowledge, rather than one of speculation. Rather 'detect and respond', than try to keep everything out."
It's an approach confirmed by Tait's Emerson. "We have something called the Security Instant Response team, so when an incident occurs, rapid action is taken. That includes an assessment, followed by a report to publicise [within the company] what is going on. This builds the culture by helping our people be a part of it while showing what effort is being made to fix it."
While big companies can afford a Security Instant Response team, the average small to medium sized Kiwi company cannot--but the approach applies to businesses of any size, says van Hest. "Detection can come from noticing simple things like a bandwidth spike or systems behaving oddly," he notes.
YOUR BUSINESS IS NOT A FORTRESS
A case can certainly be made that nothing is secure, anywhere. And to an extent, this is true--the only sure way of protecting your information would be to switch off the internet, shut down the computers and revert to paper (but that still won't stop the determined data thief from swiping the papers off your desk).
Emerson says it is easy to fall into a 'fortress' approach to security--but adds that this is a mistake as the benefits of technology systems will be choked. "Information systems are supposed to enable business. Instead of locking things down, security can present an opportunity for IT to improve its value to the business by becoming integral to business processes; after all, IT enables business processes and by integrating security, the result can be more secure and therefore better processes."
Getting your business to a reasonable state of security (which should be 'good enough' rather than the unobtanium of 'completely secure') depends primarily on policy and practice, says PwC's van Hest. His advice: "Organisations need to identify and invest in cyber security that is relevant to their business. It's also important to take an end-to-end approach and focus on detection and response, as well as prevention."
Effective security awareness also requires top-down commitment and communication, a tactic that he says is often lacking.
There is more good news, too, and it comes from Christie. "It's still the case that the most basic security can prevent over 60 percent of the current type of cyber-attacks."
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||RISK MANAGEMENT|
|Date:||Dec 1, 2014|
|Previous Article:||Why line managers need to ditch the No. 8 wire.|
|Next Article:||Managing employees in a social media technology workplace.|