2013 was a watershed year for cyber security and digital secret-keeping. Revelations about the way our data is treated once it leaves our browsers and mobile devices, the actions of hacker collectives, the dismantling of the ostensibly bullet-proof Silk Road online marketplace, White Card scams, Megaupload’s reincarnation as Mega…
But what does the average business need to know about keeping others locked out of private affairs or business dealings?
Eric Friedberg – former computer and telecommunications coordinator for the U.S. attorney’s office of New York and co-founder of security consultant, Stroz-Friedberg – says the need for security is not in question, what’s worth thinking about is building your digital barriers in the most efficient manner possible. “For small to medium companies the challenge is normally budget.”
Companies on a budget need to focus on the most sensitive areas and place priority on protecting them. To that end it’s best not to skimp. “We’ve seen many a midsize company come close to extinction because a major attack happens,” says Friedberg. “After the fact they put lots of security in and you can be sure that in retrospect they wished they’d committed the budget that they didn’t think that they had before the attack.”
Small and midsize firms may wonder why hackers and cyberthieves would be interested in breaking into their systems but, according to Friedberg, one company’s money is just as green as the next’s, regardless of size. “If you have a small credit card processing firm, for example, the fact that it only has a million credit cards as opposed to 100 million—hackers are happy with a million credit card numbers.”
So what can you do to protect yourself? The first step, apparently, has nothing to do with security software at all. “We find that before you get to the technological vulnerabilities, the thing that makes companies weak is the lack of a good governance structure,” says Friedberg. “Governance structure meaning owning the cyber security problem at the very top of the organization; making budget and architecture and cultural decisions as a leadership group and then also having the proper balances and controls such as having a CISO (chief information security officer) as an independent voice to assess risks separate from the CTO function.”
Taking those kinds of steps saves a company CTO from feeling pressure to cut costs by downgrading the security system. “They don’t want to air problems that they have for fear of that reflecting badly on them,” said Friedberg. “They don’t commission really vigorous third party ethical hacking and penetration testing. I can’t tell you how many companies we go to where they just go get a cookie-cutter penetration test just to say that they did it and it sheds no light on their real vulnerabilities.”
The philosophy to adopt is one that assumes your company’s digital walls will be compromised at some point. To that end, a firm’s security system should include intruder detection and network segmentation that protects the most valuable data in a more fortified part of the network.
(image: Devdsp on Flickr)
Hacking generally comes in four forms: state sponsored espionage, organized crime for financial gain, the insider threat and politically motivated hacktivists. In 2014, Friedberg does not see state-sponsored actions abating at all. Russian and Eastern European organized crime groups will continue to compromise banking and business security through Trojan Horse penetration programs. “It’s a cat and mouse game and these attackers are very smart, savvy and creative.”
Hacktivism may see a drop due to advances in the effectiveness of law enforcement, but the middle east could see an uptick due to political turbulence in the region. “We’ve seen increased activity every time one of those things flairs up,” says Friedberg. Insider threats are harder to gauge. “If anything it probably increases when the economy constricts because there are more layoffs and more disgruntlement and more destructive activity by insiders.”
Via Forbes
