The Wavelength: Security and Compliance

Security is a major issue for most corporations these days, and compliance is a critical component of security as well as a complex issue in its own right. We asked several leaders in the industry some questions about what organizations are doing right, what they can do better, and what they are not doing at all.

In your opinion, are most organizations doing enough to protect their most critical business assets from threats and vulnerabilities?

Stephen Cobb: The good news is that most organizations appear to be doing more today than in the past, but in too many cases it is still not enough. More companies than ever are reaching out for assistance, but the security consultants who get called in to help have no shortage of horror stories, from flat networks with no segmentation to an absence or misconfiguration of basic controls. Any organization that feels it is doing enough should get an outside opinion, a penetration test. That will either validate your confidence level or show you where you can improve.

Chris Gilliam: No. The large-scale data breaches that have occurred over the last few years have helped to draw attention to the increased need for security, but still, many organizations have not implemented the policies, procedures and safeguards needed to protect critical data. These well-publicized breaches notwithstanding, large corporations are still typically better suited to address security threats than other enterprises, government entities, or other organizations. Smaller entities have fewer resources to funnel toward security (or none at all) and simply can’t afford state-of-the art security tools to prevent today’s security threats.

Jason King: Most organizations are not doing enough to protect their assets.  Companies need to integrate protection measures that protect their business assets and intellectual property first, regardless of location. In addition, the protection of data from both inside and outside attack must be integrated into the business operating model and not just an IT project.  Malicious users and organizations are becoming better organized with cutting-edge tools at their disposal. Senior leadership must identify potential targets and create an ongoing strategy to protect their companies as a top priority.

Mike Stramaglio: My answer is a mixed bag of yes, no and impossible. The question is one of the most complex to address due to the importance of available technology and why and how is it being deployed. For example, some firms have great policies for managing the human part of the equation; e.g., how should mobile devices be protected or what an employee is authorized to see and touch. But unfortunately, they may not have the IT group or the systems in place capable of embracing the most advanced types of network services or data. The world is all about the Internet of Things and business intelligence, but many of the firms in our industry are often using systems or networks that cannot speak with each other. The byproduct of this scenario is a high level of risk at almost every technology and human intersection.

What should be the goal for any organization when it comes to information security?

Cobb: You have to make a commitment to protect the information that is generated by, or entrusted to, your organization, then back up that commitment with all reasonable measures. I realize the “reasonableness” test seems frustratingly vague, but that is the benchmark against which your organization will be judged if there is a breach. Simply being compliant with a set of standards, whether it is PCI, HIPAA, or whatever, is not a goal; it is a tool to achieve the security goal, making good on your commitment to security.

Ryan Kalember: Organizations need to protect the way people work today, because the business can only move as fast as its security program. Employees need to be able to use email, social media platforms and mobile devices safely — from any location — so they can stay competitive. Information security isn’t just the job of the IT team. All employees are responsible for ensuring digital risks are avoided and companies stay out of the data breach headlines. From a security team perspective, while employee training has an impact, every organization clicks. Reduce the number of inbound phishing attempts, assess clicks at click-time, and supplement legacy gateways with targeted attack protection and automated threat response.

Stramaglio: Simple goals are the best to manage. This is the first set of goals I would recommend:

1. A complete review of all current company-wide policies, procedures, passwords, etc., and a complete review of the people and how well they follow the rules.
2. A full review of hardware being utilized — how old are the servers?  How many? Are you in the cloud, and why or why not?
3. A full system review including who has access to your data and why. How open are your “ports” and how many software systems are you running?
4. What are the goals of your internal IT group and how good are they at achieving them? If you are  using an outside group, why, and who are they?
5. A full review of all third-party parasitic software running on your network.

Who do you think is the more dangerous threat to network security — insiders or outsiders?

Cobb: Insiders clearly have the potential to be more dangerous. You only need one word to prove that: Snowden. Outside threats are clearly more prevalent these days, and I don’t mean to downplay them, but poor choices by key insiders can be devastating to an organization. The broader attention given to external threats these days should not obscure the age-old need to ensure that any trust we place in employees, partners, and suppliers continues to be well placed.

Gilliam: Outsiders, as far as the number of incidents, but insiders are a concern as well. Outsiders are actively trying to break into the network with malicious intent. They have formed criminal organizations and drive an entire black-market economy. While there are intentional insider breaches, the vast majority of insiders have positive intentions for their organization and are not actively trying to cause a data breach, or allow a threat into the network.

However, internal attacks are much harder to prevent and detect, because these employees already have access privileges to the network, and the sensitive information contained within. Another aspect of insider threats that makes them dangerous is that most companies don’t track their internal network traffic and don’t have an insider threat program in place. IT admins need to be prepared and secure for both, but I would say that the outsiders are the more dangerous group.

King: No company wants to make the front page of the newspaper with a data breach headline.  While hacker groups look to take down large brands, I believe that the biggest threat to network security is the internal user. Certainly some insiders are on the hunt for unsecure data on the inside; however, the bigger threat is the accidental breach. Sending out an email with confidential data, storing secure data on unencrypted local drives, or simply connecting a corporate mobile device to an unsecure network are all potential risk areas. In our business, we focus on securing the data from internal users in all areas of the business process by using audited most-restrictive user access combined with SOCII certified controls in our solutions.

What are the most common reasons that corporations have not addressed security vulnerabilities?

King: The lack of adoption of security measures in businesses comes from a couple of areas.  First, security controls are often seen as cumbersome “technology-first” driven solutions that are inefficient for the business to use. When the user perceives security as a roadblock, the inclination is to avoid the process. Evaluating the business operations first and integrating security into these business processes is key for success.  Another reason that security is not addressed is resource constraint.  The process of identifying, testing, and patching servers, firewalls and applications on a consistent basis gets pushed to the bottom of the to-do list as the results are often unseen. Accumulating patching tasks over time then develops into a new IT project for rollout or upgrade rather than a routine monthly task list. Ultimately, data security should be incorporated into the operational model and roles in all areas of the company rather than becoming a segregated IT initiative for prioritization.

Gilliam: There are three common reasons that security is not a priority at many corporations.

1. Lack of IT resources: Despite the growing importance of the Internet to most businesses, many IT departments are still short-staffed and under budget. This leads to difficult decisions by IT leaders on if and when they can strengthen their security posture. Overworked employees fall behind on routine security maintenance. Worse yet, due to budgetary concerns, many IT workers lack experience or are under-trained for their positions. More emphasis needs to be placed on security from the top down.
2. Awareness: All employees need to be educated on cybersecurity and knowledgeable on how to avoid threats. In today’s threat landscape, the ownership of security belongs to everyone at the company; it is no longer just an IT role. The more that businesses can integrate this into their culture by offering educational resources and mandatory training, the faster we can eliminate this as an issue.
3. “Not My Company”: Many smaller corporations still believe they are not a target to hackers trying to steal sensitive information. Some think they simply aren’t big enough to be a target, while others don’t realize the value of the information they hold. In the hands of the wrong person on the black market, any information can be valuable whether it is Personally Identifiable Information (PII), intellectual property or other confidential information.

Stramaglio: The reasons for failure in this area are many and frankly, the answers are widely different depending on the firm’s size, capability, age, and even the type of business they are engaged in. In the medical field or other highly sensitive and regulated industries you will find a bigger appetite and need for security.  But even with these types of clients they are tied to a fast-paced and explosive need for the best technology, and that brings with it a huge number of issues. It is very difficult to keep up with the need or demand of the most advanced security environments.

What are the most important things to consider when it comes to security planning, policies, and implementation?

Kalember: The two words that can best guide improvement of any organization’s information security policies are “simplify” and “automate.” “Simplify” means reducing policy to a single page, with understandable instructions like “Always confirm wire transfer instructions by calling the manager.” Complexity is the enemy of security. While having binders that detail which data should be encrypted, for example, may satisfy a policy audit, it won’t practically improve security. “Automate” enables simplicity. When users click “send” in email, a central policy engine can decide if the email needs encryption, or violates policy. This ensures more consistent and effective security. Similarly, when a scan shows sensitive content is stashed on an unprotected file share, have a policy that determines if the content should be copied or deleted based on central control. This removes the need for the user to adhere to policy and will reduce the chances of a breach. In both cases, automation increases simplicity and security.

If you could change one thing about the current infrastructure we all use to make it more secure, what would it be?

Kalember: Security infrastructure needs to be built around how people work today. They are often remote and use a combination of email, social media and mobile applications to complete their work. An effective security infrastructure needs to take these varying communication channels into consideration or it will be outpaced by cybercriminals who are constantly evolving their techniques. Organizations need a security infrastructure that is easily deployed through the cloud, just as nimble as the criminals and provides clear visibility into the most urgent threats to ensure rapid response.

If you had the option, would you eliminate BYOD entirely?

Cobb: Clearly, BYOD is a very complex challenge. While we are making progress on the software that enables split personalities on devices, that may not work for everyone. Personally, I don’t do BYOD. I use my own phone and laptop for personal things. I use a company laptop and phone for company things. However, I realize that I am in a somewhat privileged position in that I can afford to do this and my company is not pressuring me to use my own equipment. I certainly don’t think organizations can assume that all employees will be okay with their employer having access to their personal devices.

Stramaglio: I am not an advocate of BYOD and no doubt this may fly in the face of convention. I think people do it to reduce expenses but I think the risk factors multiply at an unacceptable rate and, when married with less than acceptable security policies, it is not a good idea. That being said, if you are seeking to continue this type of policy there are products out there that will provide additional security with even greater data and usage segregation with a “backup to the backup” type of software that can literally shut down all phone systems and wipe out the data or totally secure all  confidential information. But this issue and the question posed is going to become more and more of a problem in 2016.