“Is your business secure?” is a question most senior level IT management get tossed their way ad nauseam. They snap off a quick “yes” and walk to their offices to mull over their response. Invariably the question will again arise the day there is another news story about how some impenetrable IT fortress got hacked. Levels of self doubt quickly rise to new and astonishing levels as the IT manager starts searching for real and perceived security holes.
“It is part of our common experience,” said James Cavanagh, an Atlanta-based telecommunication consultant. He spoke at a recent Telus Corp. Expert Series in Toronto.
He started his talk by outlining the huge impact bad network security can have on a company. Most of the attendees were well aware of Cavanagh’s list of potential direct and indirect financial losses that can result from bad network security, so he didn’t focus too much on it. Instead he zeroed in on trust. Companies that get hacked can see repercussions in stock prices, sales and partnerships.
“Trust is very, very fragile,” he said rather poignantly.
To bring his case to point he described a hypothetical “cyber war” waged against a Toronto company. The attack started using the script kiddie’s favourite method, the denial of service. But what followed is the real point of concern for corporate types. Public trust eroded and as a result stock prices started to fall.
Though Cavanagh’s example may have been a bit simplistic, since the likes of e-Bay seem to have suffered little from their denial of service experiences, it did demonstrate the randomness of attacks. The shear number of novice hackers (see accompanying chart) creates a huge problem, he said.
Cavanagh moved onto the world of risk assessment, a difficult yet important task for companies to perform. His experience has shown him that companies which attempt to assess risk internally tend to over or underestimate the levels and, as a result, will have protection which does not match corporate needs.
One reason to go outside corporate walls to get an accurate assessment is that the professionals are more aware of what is going on within and across industries. Some industries have tremendous problems with competitive spying while others are prone to attacks from idealists or extremists.
“It is absolutely impossible to have flawless security – the game we are playing is to reduce [risk],” he said.
the Three elements
Cavanagh is no different from other security gurus in basing success on the people, technology, policy triangle. Where he differs, though, is his hardcore attitude. If you want your company to have tight security there can be no exceptions to the rules.
“Everybody in the organization needs to be trained,” he said. This means from the CEO down to the cleaning staff. If an employee gets a third “security strike” a company needs to be quick and efficient in firing him or her. This goes as high as the CEO, he said, though one has to have some doubts as to whether Bill Gates would be allotted only three strikes.
“The first thing you need to do as a company is to assess the extent to which you can trust your employees,” he admitted.
Cavanagh cited examples of corporate bonus programs for good security. “I feel that the carrot works better than the stick.”
If you stop someone from coasting in through the door on your pass you could be up for an award.
But these types of drastic solutions are bound to meet some fierce internal resistance.
Cavanagh admitted it is a difficult road. “We like to trust the people we work with,” he said.
security solutions
“[Security solutions] must be able to change with the situation…not react the same way all the time,” he said.
For many companies this is a problem since hackers learn quickly. Cavanagh even suggested larger companies can create a honey pot, a place on the corporate site where hackers can enter and be tracked and monitored, though he admitted this option is rather expensive to implement.
He explained how simple tasks like finding out from your ISP what other companies are hosted on their servers can give your company a more complete security profile. If your sites reside on the same physical server as another and they are hacked, you have to know how it will effect you.
And finally once your easy-to-use-yet-impossible-to-avoid security solution is in place it is of paramount importance to have your security measures audited by an impartial third party.
