The Quest for a Culture of Security
We still treat security the same way we do sexual harassment: an unpleasant chore. Maybe your organization has occasional security training days for end users but probably not. Security isn't in our culture. It isn't a daily part of our work lives. Sure, we apply patches, but that's more or less it.
Yet, in the past couple of years, attackers are no longer just script kiddies looking to deface a Web site to stand up and claim credit. Information theft is big business. Customer credit cards sell for real money, as do lists of names, addresses, social security numbers and e-mail addresses. With the right customer information, I can send out phishing e-mails pretending to be you, someone the customer already knows and trusts. From there, I can get customers to do all kinds of things in your name.
Make no mistake: Your company has already been targeted and tested. Hackers have already probed your firewall as well as your Web site. Perhaps the thieves haven't yet found a way in, or they may very well have gotten in. Attackers no longer disclose their breaches anymore -- they're hoarding that information to maintain its value.
Let's take a quiz to see if security is truly a part of your organization's culture.
- If an exploit is found in any software, do you have a response plan? I have some customers who routinely let departments and divisions stand up new public-facing Web sites without even a nod to the IT staff. When Heartbleed broke, IT had no idea what their exposure was, let alone what machines would need patching. If you don't have accurate software inventories, you'll be scrambling.
- Do you use multi-factor authentication? Target's now-unemployed CIO and CEO probably wish they had. Passwords are very easy to crack now through social engineering, regardless of how long and complex they are. Two-factor authentication is cheap, easy to implement (it's been around for more than a decade) and doesn't hassle your users. Every user will welcome no longer having to remember long, constantly changing passwords! Most environments can implement two-factor authentication for a few dollars per user and eliminate annoying account lockout calls.
- Do you train users? Do your users think about where they leave printouts lying around the office? If not, then they probably don't worry much about the information they divulge via e-mail or over the phone, either. Humans can't remain vigilant 24x7, and so vigilance has to become routine, built-in and automatic.
- How much money could you lose if data was stolen? If you don't know, you're probably not making good, metrics-based decisions when it comes to security. After all, without knowing your level of risk, you can't decide how much it's worth spending to mitigate it. But the risks can be severe: A small restaurant that lets go of a couple of hundred customer credit card accounts could be looking at millions in losses and fines. That's enough to instantly kill a small business, so it's worth a few bucks to keep it from happening.
I find that companies worry more about making sure their data and services are available than making sure they're protected. Perfect example: I was at a bar where a large consumer products company was having a mixer. I was able to easily pick up the simple, single-factor, four-digit PIN one woman used to unlock her iPhone, and easily pick out details from her corporate e-mail. Details like her name, other employees' names, the company name and so on -- all information I could readily use to launch a successful social engineering attack to gain access to even more information.
And that's how it works. That company has allowed their employees to carry sensitive data right out of the office, on an extremely non-secure device and to display that information freely to completestrangers.
Our corporate culture values many things: long workdays, always-connected employees, fiscal efficiency and more. We need to add information security to that mix. It is part of your business, whether you care or not.
Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.