Organizations must take IT security away from the information technology department and put it in the hand of a chief risk officer if they want to make a meaningful dent in the increasing number of cyber attacks, says a security expert.
“Something that important shouldn’t be left to the techies – and I am a techie,” Jose Fernandez, associate professor of computer engineering at Polytechnique Montreal and co-investigator at the Smart Cybersecurity Network (SERENE-RISC), said in an interview this morning. The network, which holds its second annual workshop in Montreal starting Tuesday, is a group of academic, government and industry researchers trying to help governments and the private sector manage online risks.
“This is not a technology problem,” Fernandez said. “IT security is a business problem, and until we view it that way then it’s going to grow and will start taking down large corporations.”
The risk officer, who in his view has to report either to the board of directors or the CEO, must have responsibility over all departments, he said, to make sure users “aren’t doing stupid things like going to Web sites and getting infected,” are managing corporate information correctly, and in some cases ensuring that business processes are re-engineered.
Fernandez is one of the speakers at the workshop, which will look at global cybercrime, the work of the federal Canadian Cyber Incident Response Centre, cybersurveillance, information and security research, data breaches and underground markets.
Fernandez will talk about a pilot study he and others undertook in 2011-2012 on the effectiveness of anti-virus software on 50 laptops given to a random number of users over a four month period. Among the findings after looking at the machines was that the software on 19 PCs were able to detect and stop infections, but on 10 viruses were able to penetrate defences.
Researchers also made some interesting findings on user behavior, including that computers owned by men were no more likely to be infected than women, nor was age a factor. But one finding that surprised him was that users who had some computer expertise were more likely to have their laptops infected.
“It’s almost a little knowledge is a dangerous thing,” he said. More likely is that these people are less risk adverse, he said.
Another conclusion from the data is that porn sites aren’t the most likely source of malware. Sports and entertainment Web sites were also places where users PCs became infected. Rather than drive users to an infected Web site, cybercriminals are increasingly using ads on popular web sites, he said.
He acknowledged that the study’s small sample isn’t sufficient for policy-makers to use, but it is useful to show where research can go. “It’s important that corporations do these studies every once in a while,” he added.
The Globe and Mail reported this morning that more C-suite executives are taking cyber security seriously, with 60 per cent saying they are spending more than they did two years ago.
But, Fernandez said, if only money is being thrown at the problem it will be wasted. “It needs to be a top-level led effort”
Many researchers and vendors are looking for solutions to the increasing number of reported data breaches, but he said the fallacy is trying to find a silver bullet –one solution, one piece of software or hardware. “We in society, in industry and government have to start giving this problem a priority. At the same time the actions we can take can mitigate the problem quite a bit. These actions are a combination of technology, but more importantly user awareness and putting incentives in the right place” – such as criminal and civil sanctions, as well as rewarding those within corporations for making the right decisions.
He described the current state of IT security as “the next global warming crisis.” It needs to be taken more seriously because the potential for cyber attacks to shake not only the global economy but also democracy “is quite great.”