1300 222 547
Cyberspace-Junk: Three Top Ways to Avoid a Collision
The start of 2010 brought with it a spate of reporting on the dangers of cyberspace, whether it be cyberattacks on an individual, a corporation, a public utility system like an electricity grid, or nation states playing games with each other. Mid-January saw an unlikely cyberwar breaking out when Iranian hackers attacked China’s largest internet search engine, Baidu, and Chinese counterparts retaliated against Iranian websites. In this rapidly expanding arena of competition, Russia, China and a number of other countries have been accused of mounting massive operations, though in this field there are far more sinners than saints.
A McAfee survey of 600 international technology executives (‘In the Crossfire: Critical Infrastructure in the Age of Cyberwar’, available at www.mcafee.com), released in January, helped wipe away any New Year complacency. It found that recession-driven cuts in spending on online security over the past 12 months had led to an increase in threats. The result was that more than one-third of those interviewed believed their sector was unprepared to deal with a major attack. More than half felt that the laws in their country were inadequate in deterring potential cyber-attacks, and almost half lacked any faith in their government’s capacity to prevent or deter them. One expert believes that consumers will increasingly bear the cost of online crime and security breaches as organisations seek to limit their exposure in an escalating battle against such attacks.
Art Coviello, president of EMC’s data security arm RSA, for example, has little confidence in government, pointing out that data security regulations have fallen way behind the internet age. He believes that government regulation on security should focus on outcomes and not on prescriptive measures. Data breach regulation is a great regulatory initiative because it does just that. It says, if you are negligent in protecting information, you need to publicly confess. He says it’s amazing what California has done to ensure that people do the right thing because they don’t want to be embarrassed. “Compare that,” says Coviello, “with prescriptive regulation like the obligation to encrypt this or provide that. That relies on the government having the kind of technological sophistication to keep up with the threats. What do you suppose are the odds that governments are going to move quickly enough? They can’t even update the laws for the internet age, let alone data protection. It’s much easier for government to say don’t let something happen and put the onus back on the organisation to protect its infrastructure however it sees fit.”
This, of course, is government acting in the legislative and bureaucratic sense. When you look at the electronic eavesdropping capabilities of most governments, the picture changes significantly. But that capacity isn’t necessarily geared to helping you. Rather, it’s devoted to intelligence gathering, whether on the political, economic or anti-terror fronts – and let’s not forget, sometimes on the commercial. As Paul Mah notes in an article in the Florida-based TechWatch brief (“Is cyber warfare the new corporate reality?”, January 29), in which he commented on the McAfee findings on infrastructure threats, “What I find deeply disturbing is the prospect of rooms crammed full of elite hackers working from multiple systems as they conduct round-the-clock cyber campaigns against less well-supported corporate entities.”
Today, he observes, it would be unusual to enter a corporate office and find staffers without access to a dedicated workstation. And most households in developed nations have more than one PC at home, which would likely have some kind of access to resources on remote corporate networks. “The chilling truth,” he says, “is this: a successful exploit on any one of these machines could potentially tear a huge security hole in a network. How can smaller companies stand a chance against the forces that foreign governments can bring to bear? Is the ability to protect against cyber attacks the new reality for corporations around the world.”
Michael Malin, executive vice president of Mandiant, a US information security firm, knows how serious the challenge can be. His company released a report in late-January that shed light on the ultra-sophisticated art of so-called advanced persistent threat (APT) attacks. Malin points out that, “once hackers are in, they don’t need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.” Alan Shimel, CEO of The CISO Group, another US security firm, sounds a warning to all of us worried about cyber attacks. “From a security point of view,” he says, “there’s no magic bullet. Nothing is going to make you immune.”
There is another area which companies often overlook. Asked about how social networking affected data security, Art Coviello suggested it has become a key avenue of malware infection. “Not unlike the physical world,” he says, “if you have an infection like HINI virus (swine flu) and you go into a crowded nightclub, you’re going to spread that infection all across the nightclub. Hackers have found the social networks, and it’s very easy for you to pass on these pieces of malware across the social network environment. Our advice to organisations is that they ignore these phenomena at their peril, which is not to say ban them. To try to stop the proliferation is folly. To embrace it, but embrace it with a level of control, is the way to go about it.”
So, no matter which business sector you’re in you will in some way be vulnerable to the myriad dangers lurking in cyberspace. As with space-junk, even the smallest fragment can destroy your business operation, if not your company’s reputation as well. Here are three ways to be proactive and start protecting your company:
1. Know Exactly What You’re Up Against. The cyber challenge is not an ad hoc process, whereby you simply react to a perceived threat. It is constantly evolving and unrelenting in nature. You need to call in a group of professionals with a solid track record in such things as computer forensics, transactional analysis and fraud detection to map out for you not only the external cyber threats confronting your business but also internal vulnerabilities that make your organisation more susceptible to penetration than it needs to be. It’s a waste of time looking at one without the other. If you hire the right experts they will provide you with a thorough audit of your operations, the strengths and weaknesses of the electronic equipment you’re using and of specific danger spots in your business where human frailties and foibles beckon a hacker to “step this way”.
2. Plan for Ongoing Protection. While large corporations often have a security section devoted to the cyber challenge, most small and medium businesses don’t – nor can they afford to pay constant attention to it. Consider designating a staff member, whether it be your firm’s resident geek or someone else suitably qualified, to receive regular updates from the professional group you’ve called in and who can liaise with them as required. As CEO or manager you must be well acquainted – and be seen to be such – with every significant development in this security arena. As with a sense of corporate integrity, so too with security: it’s a disposition that starts at the top. Be prepared for occasional briefings that the professionals may choose to give to you, and you alone, in the first instance. Nowadays, cyber security is something that you need to stay on top of, as busy as you are. It is not something to be delegated and dismissed until a major executive decision has to be made. If you lack an informed overview your staff will pick it up quickly – and some may exploit it.
3. Think Big, and Outside the Square. Hardly any business can now isolate itself from cyber threats. No matter how insignificant a certain aspect of your business may seem to be, somebody in a vastly different place in today’s globalised system is likely to have a keen interest in knowing all about it. You don’t have to be involved in a major international tender process or in cutting-edge research and development to be targeted. A subcontractor or provider of component parts sometimes unwittingly offers the point of entry that someone else seeks. Equally, your company’s contribution to a larger process may be the missing link in a chain that someone else is trying to replicate. Don’t overlook the immense power that a foreign government’s intelligence apparatus has – whether electronic or human – if you possess something that’s vital to the growth of an industrial sector on the other side of the globe.
In short, don’t think you need to learn all this by yourself. The right group of professionals, especially with solid global and cross-cultural experience, can get you up to speed quickly – and keep you up-to-date. They can also brief your employees if necessary. Not to do this, is to make your business a “sitting duck”.
