Organizations Often Neglect Cybersecurity’s “Weakest Links”
Cybersecurity and resilience require a holistic approach that considers all threats.
Although many organizations take an aggressive approach to cybersecurity, they often don’t fully consider the weak links that may make them particularly vulnerable, according to Scott Kaine, a Booz Allen Hamilton principal who leads cybersecurity assignments in both the public and private sectors.
In a presentation at the recent Securities Industry and Financial Markets Association (SIFMA) Technology Conference in New York, Kaine urged members to take a holistic approach to addresses cyber security threats both from within corporate boundaries and beyond traditional firewalls.
Kaine outlined five basic areas where security efforts can be strengthened:
People. Organizations typically focus on cybersecurity threats from the outside – but neglect the even greater threats from within. Industry analysts estimated that 70 to 80 percent of cybersecurity problems arise from an organization’s own people. Though some data breaches are intentional, far more often they are caused by employees who are simply careless or uninformed about “phishing” and other techniques used to compromise information. “Everyone from customer-service representatives to C-suite executives must be responsible for what is on their computer screens,” says Kaine.
Social networking sites like Twitter also present a growing threat. Negative information about a corporation, spread virally through such sites, can instantly and severely damage the organization’s reputation. In addition, criminals use networking sites to sell stolen credit card numbers and personal information. While organizations cannot monitor every feed on the Internet, it is essential they have a cybersecurity crisis-management plan in place so they can be ready with a quick and effective response.
Internal security policy and planning. Organizations place too much faith in written guidelines, without taking steps to make sure they are properly followed. Employees are often unaware of policies that, for example, may prohibit them from taking their laptops home or from inserting USB drives into their computers. Such risks can be exposed and remedied if employees are tested with scenarios that evaluate how they would respond to certain situations. “Nothing beats a good fire drill,” says Kaine.
Regulatory policies. Organizations tend to be extremely reactive to new regulatory policies, especially with new administrations, and so may not be ready for changes that might have significant impact. While policy staff members can be expected to be familiar with pending cyber-security legislation, they may fail to alert those in the organization who would be most affected —such as the Risk, Security and IT staffs. Periodic meetings should be held to plan for anticipated regulatory impact.
Budgeting. Kaine advocates the use of an enterprise risk assessment to determine those areas which pose the highest degree of risk. Once in hand, the budgeting process should use this information to allocate accordingly. When organizations are faced with budget cuts in cybersecurity, they often focus on whether they are obtaining the most effective security tools and software. However, limited resources may be better allocated if they are directed toward training. Employees who have not been properly trained represent the greatest cyber security risk to organizations, and that must be reflected in risk assessments and budgeting.
Technology. Organizations expend significant resources on analytical tools that search through their data for patterns of fraud or malicious code. However, as organizations acquire, merge and consolidate, the data is often stored in multiple and conflicting formats that render the tools ineffective. For example, the same name might have a “Jr.” – with a period – in one format, and a “Jr” – without a period – in another. Thousands of data fields may have such inconsistencies. Organizations must devote the necessary time and resources—however painful that may be—to ensure their data architecture is normalized. Such efforts will pay off by making the security tools far more effective.
At the same time, organizations should take steps to be more be proactive in recognizing and preparing for external threats. Often, there are certain patterns on the Internet, such as traffic anomalies, that could be precursors to forthcoming attacks. Organizations cannot wait until these threats hit their firewalls. By working with entities that may already be aware of the approaching danger, such as Internet service providers and government agencies, organizations can better prepare. “When it comes to cyber,” says Kaine, “even a one-day ‘heads-up’ on a pending attack can result in a significant risk reduction.”
story posted August 12, 2009
Additional Information
- Building Next-Generation Cybersecurity Solutions — For true security, all dimensions of the computing environment should be considered, says Senior Vice President Patrick Peck.
