Information is the lifeblood of not just corporations but organized crime and terrorism, says Steve Durbin of the Information Security Forum in conversation with Rahul Neel Mani. The ISF’s released its Threat Horizon Report, and Durbin says we may have to give up some individual privacy in return for responsible governance and security.
Q:This is the first time that ISF has made the Threat Horizon Report public. It is a huge gain for non-members. What are the major findings of this report that you would like the vast majority of businesses to ponder upon?
A: You’re right, this is the first time that the ISF has released such a report into the public domain and the timing of this is by no means haphazard. Globally we are in the midst of continually sophisticated cyber threats that governments are only now beginning to openly admit as being amongst the most serious to national security.
And that is at the macro level. At the level of the individual or indeed the enterprise, we are faced with daily opportunities for cybercrime to take hold and impact us personally. It is against this backdrop that the ISF has decided to share some of its world-leading research into the threat trends that we and our members see as being critical. I would draw your attention to three major findings or drivers if you like that make the threats we detail in the report so real.
The first is a fundamental weakness in infrastructure. Under-investment in both organizational and national critical infrastructure has weakened the underlying IT platforms. They are poorly placed to support new and evolving business technologies such as e-commerce, cloud computing and mobile working all of which are everyday realities.
Secondly, the rise of the Internet generation coupled with high levels of personal technology adoption has caused an irreversible change in attitudes to protecting information.
Thirdly, increasing globalization means that organizations of all kinds are subject to greater threats as a result of being seen as an attractive target, having to meet the needs of multiple legal jurisdictions and becoming a more complex organization.
Clearly these three drivers will impact different businesses in different ways but if the vast majority of businesses examine the impact of these three drivers on their business today and put in place policies, procedures and training of their employees to help mitigate the risks they face, the impact would not be insignificant.
Q:On the one hand the appetite for risk and bad governance is shrinking, on the other the cyber attacks and threats are at their highest. What are the most crucial steps that corporate houses need to take to minimize the damage?
A: Two words – Contingency and Integrity. As I mentioned before, the under-investment in critical infrastructure has led to poor resilience at pinch points with the risk of complete loss of communications, data and the associated impact this has on the business.
The sheer scale of information, its life in multiple locations and the lack of detailed management of that information has led to a toxic information wasteland where organizations are unsure as to which of the multiple copies is right and true or who is qualified to make that judgment.
Inadequate integrity checking leads to unforeseen effects from changes to business information and potential compliance failures; poor records management opens up opportunities for fraud.
Attackers have adopted strategies based on a combination of threats such as these that can lead to them obtaining authentication details, gaining access to systems or networks, misusing systems to commit fraud, stealing proprietary information and introducing malware. Businesses can better equip themselves to deal with these threats by following these steps:
1. Evaluate contingency arrangements
2. Undertake business impact assessments for failure of critical applications and processes
3. Review adequacy of security, integrity and version controls
4. Establish records management and compliance monitoring procedures
5. Introduce common risk language and understanding of threats across the organization, whilst seeking pragmatic ways to assess and manage risk holistically.
Q:What is the right way of creating a balance and how can privacy be upheld without compromising on issues such as national security and terror threats?
A: I think your term 'creating a balance' is absolutely spot on here. Clearly this is a challenging issue, especially for multi-national organizations that need to juggle on a daily basis the different demands of the various jurisdictions in which they operate. But how do you create the balance?
Well I think enterprises need to start from a position that there is no perfect solution so pragmatism will need to prevail. Ensure privacy policies are clear and meet the needs of the jurisdictions in which the enterprise operates. Gain the input of legal advisors and industry colleagues who are grappling with the very same issues.
Finally create a forum for discussing changes in the law both within and across jurisdictions. But how can we square this with needs of national security and terror threats? In my personal opinion, it is an impossible ask. Sadly, I do believe that the right to privacy has probably reached a point of no return when it comes to matters of national security.
We live in an increasingly dangerous world where access to information is the lifeblood not just of an enterprise but also of the criminals and terrorists. The only way to combat this effectively is, I believe, for us to give up some of our rights to privacy – but that places a huge onus on our elected governments to behave in an appropriate and accountable manner.
Q:How important is a comprehensive risk and governance policy to take precedence over the simple information security architecture so that the corporate sees the bigger picture. What are the key suggestions that you will recommend?
A: This is an essential component in any effective approach to security and risk management. To manage risk you need to plan for it – identify, plan, protect. Security teams need to identify the information risk management procedures that need to be in place to meet the requirements of the business.
With organizations needing to look much more closely at their internal security structures and how they can meet compliance regulations there is a need to make use of tools such as those used by ISF members to manage and control information risk throughout the enterprise. In particular:
1. Good practice – establish policy and procedures that are in line with current regulatory and compliance requirements and establish means of monitoring their effectiveness
2. Benchmark – monitor your security posture and compare your results with those of other organizations
3. Tools and standards – make use of tools that exist to meet regulatory requirements such as Sarbanes-Oxley and Basel II and to measure and achieve compliance against world standards such as ISO/IEC 27002 and COBIT
Q:What are the best practices that you would prescribe to ensure corporate security for Mobile enterprises and those who are adopting cloud and virtual infrastructure?
A: Mobile and remote working, outsourcing and cloud computing have combined to all but remove an organization's network boundary that, coupled with the increasing penetration of smartphones and laptops, has blurred the lines between business and personal usage – the trader who wants to use an iPhone for securities trading, the salesman who updates his orders from his Android phone or chats on Facebook whilst completing a proposal for a new client, these are all the realities of life today.
Boundaries have all but disappeared so security professionals need to adapt and enterprises need to change to cope with a new world. How can they do these things?
1. Consider the architectural options available for working without a network boundary – if the boundary hasn’t gone already it soon will, so time will be well spent considering the options!
2. Investigate the feasibility within the enterprise of trusted zones and the niche application of products such as digital rights management.
3. Establish policies for the use of personal devices and access management across devices.
4. Establish asset management for smartphones and assess the security implications of their use.
5. Educate users through communication and awareness programs that are supportive of the work day reality as opposed to seeking to prevent or restrict usage of these devices.
Q:The highly competitive global market has given rise to more organized attacks on proprietary information and IP of organizations that do fundamental research. How would you assess the scenario? How are these espionage attacks being planned and what should the organizations do to mitigate the risk?
A: Cybercrime is big business. Cyber criminals are clever, sophisticated and have resources at their disposal that many enterprises would only dream of. That is the reality. And I do believe that the trend is set to continue. So what can organizations do?
Well the threat is clear: there is an increased risk of loss of proprietary information through targeted hacking and other cyber attacks that have the potential to lead to a loss of reputation and trust in addition to the financial cost of the theft of proprietary information and IP.
In the face of such threat organizations must identify the sources of high-value information and evaluate niche solutions such as data loss prevention. Here it really is a case of planning for the worst and hoping for the best.
Q:What is an ideal plan for protecting corporate information assets. Can you describe a full-blown plan in a nutshell?
A: What does an ideal plan look like? I’ll let you know when I see one! Each plan needs to be mapped to the needs of the individual organization and to address the business critical issues that affect the successful day to day running of the enterprise. A full blown plan should address the six key components of information security and risk management good practice:
1. Governance: the framework by which policy and direction is set providing senior management with assurances that security management activities are being performed correctly and consistently.
2. Risk: the potential business impact and likelihood of particular threats materializing – and the application of controls to mitigate risk to acceptable levels.
3. Compliance: the policy, statutory and contractual obligations relevant to information security which must be met to operate in today’s business world to avoid civil or criminal penalties and mitigate risk.
4. People: the executives staff and third parties with access to information who need to be aware of their information security responsibilities and whose access to systems and data needs to be managed.
5. Process: business processes, applications and data that support the operations and decision making.
6. Technology: the physical and technical infrastructure, including networks and end points, required to support the successful deployment of secure processes.
And once you have created the plan, review it, test it, monitor it and do not be afraid to make changes to it. An effective plan changes with the needs of the business – and that can be a pretty full-on task for even the best security teams.
Cross-posted from CTO Forum