By Chuan-Wei Hoo
Every day, new streams of information flow into organizations, powering up-to-the-minute analysis and smarter decisions. Employees, customers and partners are all connected as never before, across a multitude of technologies.
Yet these sprawling and overlapping networks pose daunting security challenges. The complexity is dizzying, the possible points of attack near limitless.
Is strong security even possible in a hyper-connected era? The answer is yes, but it requires fundamental changes in processes and attitudes.
At IBM, we have implemented our own strategy in-house and mapped out the ten security essentials that we think every CIO needs to know to achieve security intelligence in the 21st Century.
It?s no secret that people today can summon brainpower and gigabytes of data in an instant, and use them to make faster and far better informed decisions. Yet the very strengths of these interconnected networks ? their speed and openness, the easy access anywhere on the globe ? also create a myriad of vulnerabilities.
And the job of securing a corporation?s network grows infinitely more complex as information pours in from thousands of devices and through scores of public web-based services.
In such an environment, access is easy for everyone involved ? all too often including criminal organizations. Crime rings now regard Internet-connected PCs and mobile devices as prime real estate. By infecting devices with hard-to-detect malware, they extend their bases of operations.
For thieves, corporate networks are bursting with digital treasures, including passwords, user IDs, business secrets, and personal information. Digital intruders also target strategic assets, from government ministries to communications networks. Some are out to disrupt business operations.
Gartner?s estimate is that 20 to 30 percent of consumer PCs has been compromised by botnets and malware that can be used as infrastructure for criminal operations. With many firms considering the enterprise use of personally owned devices, the potential for infection is a very real concern.
Which information should be shared broadly? Who should have access to certain jewels, and how will they be protected? Together, the technical and strategic challenges reach a dizzying complexity.
And while the temptation may be to respond with solutions every bit as complex, far-sighted executives realize that such escalation is untenable, unaffordable and, ultimately, fruitless.
The only answer is to change, at a fundamental level, the way companies operate. It starts with expanding the mission of enterprise security, from the tech staff and their machines to every person within the company, and everyone who does business with it.
This is only fitting: since each person poses a potential breach, each one must also represent a piece of the solution. In the end, success hinges upon creating a strong and persistent awareness: a risk-aware culture.
A risk-aware culture demands more than up-to-date technology and extends far beyond best practices. It represents a new way of thinking, one in which a pragmatic approach to security informs every decision and procedure at every level of the company.
This must recast the way people handle information, from the C-level leaders to summer interns. In such a culture, secure procedures for data become second nature, much like fastening a seat belt or storing matches in a safe place.
10 security essentials
1. Build a risk-aware culture — The idea is elementary. Every single person can infect the organization, whether it?s from clicking a dubious attachment or failing to install a security patch on a smart phone. So the effort to create a secure enterprise must include everyone. Building a risk-aware culture involves setting out the risks and goals, and spreading the word about them. But the important change is cultural. Think of the knee-jerk reaction ? the horror ? that many experience if they see a parent yammering on a cell phone while a child runs into the street.
2. Manage incidents and respond — Say that two similar security incidents take place, one in Brazil, the other in Pittsburgh. They may be related. But without the security intelligence needed to link them, an important pattern ? one that could indicate a potential incident ? may go unnoticed. A company-wide effort to implement intelligent analytics and automated response capabilities is essential. Creating an automated and unified system will enable an enterprise to monitor its operations ? and respond quickly.
3. Defend the workplace — Cybercriminals are constantly probing for weaknesses. Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must not be left up to individuals or autonomous groups. They must all be subject to centralized management and enforcement. And the streams of data within an enterprise have to be classified, each one with its own risk profile and routed solely to its circle of users. Securing the work force means vanquishing chaos and replacing it with confidence.
4. Security by design — Imagine if the auto companies manufactured their cars without seat belts or airbags, and then added them later, following scares or accidents. It would be both senseless and outrageously expensive. In much the same way, one of the biggest vulnerabilities in information systems ? and wastes of money ? comes from implementing services first, and then adding security on as an afterthought. The only solution is to build in security from beginning, and to carry out regular automated tests to track compliance. This also saves money. If it costs an extra $60 to build a security feature into an application, it may cost up to 100 times as much ? $6,000 ? to add it later.
5. Keep it clean — It happens all the time. People stick with old software programs because they know them, and they?re comfortable. But managing updates on a hodgepodge of software can be next to impossible. Additionally, software companies sometimes stop making patches for old programs. Cyber criminals know this all too well. In a secure system, administrators can keep track of every program that?s running, can be confident that it?s current, and can have a comprehensive system in place to install updates and patches as they?re released. Balance managing risk and enabling innovation
6. Control network access — Consider urban crime. Policing would be far easier if every vehicle in a city carried a unique radio tag and traveled only along a handful of thoroughfares, each of them lined with sensors. The same is true of data. Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware.
7. Security in the clouds — Cloud computing promises enormous efficiencies. But it can come with some risk. If an enterprise is migrating certain IT services to a cloud computing, it will be in close quarters with lots of others ? possibly including scam artists. In that sense, a cloud is like a hotel in which a certain percentage of the customers have bubonic plague. To thrive in this environment, guests must have the tools and procedures to isolate themselves from the others, and to monitor possible threats.
8. Patrol the neighborhood — Say a contractor needs access to the system. How do you make sure she has the right passwords? Leave them on a notepad? Send them on a text message? Such improvising has risk. An enterprise?s culture of security must extend beyond company walls, and establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago. And the logic is the same: security, like excellence, should be infused in the entire ecosystem. The ruinous effects of carelessness in one company can convulse entire sectors of society.
9. Protect the company jewels — Somewhere in the trove lie the company?s critical jewels, perhaps its scientific and technical data, maybe some documents regarding possible mergers and acquisitions, or clients? non-public financial information. Each enterprise should carry out an inventory, with the critical data getting special treatment. Each priority item should be guarded, tracked, and encrypted as if the company?s survival hinged on it. In some cases it may.
10. Track who?s who — Say a contractor gets hired full time. Six months pass and she gets a promotion. A year later, a competitor swoops in and hires her. How does the system treat that person over time? It must first give her limited access to data, then opening more doors before finally cutting her off. This is managing the identity life cycle. It?s vital. Companies that mismanage it are operating in the dark and could be vulnerable to intrusions. This risk can be addressed by implementing meticulous systems to identify the people, manage their permissions, and revoke them as soon as they depart.
The author is the executive security advisor for the Asia Pacific Security Tiger Team of IBM