By Theresa Schwab
Recently a manufacturing company came to me wanting assistance with their network. Apparently, the company who sold the network equipment was only good at installation, but not as good with supporting the equipment. Installing security equipment without properly configuring it is like driving a car with seatbelts but not actually wearing them.
A firewall is the first and most important level of protection for any network. This company’s firewall was not logging events such as successful connections, failed connection attempts and more. As a direct result, we saw a seemingly persistent attempt from suspicious individuals in foreign countries attempting to hack into the company’s network. Without event logging, no one would know that their network was at risk until they had a breach and there would be little that could be done to reverse the damage caused or trace the origination point.
In today’s world, CEOs have little choice but to address security issues both proactively and aggressively like this manufacturing company. The Austin-based intelligence company Stratfor waited until they experienced a severe breach of client information to actually address their network security, which is significantly more costly in terms of dollars, professional reputation and related downtime fixing the issue and then instituting the preventive measures to stop any future attempts on the network.
We live in a society where technology is constantly changing and the hackers are continuously adapting to those changes. In these uncertain and difficult times, prudence demands an extremely conservative and proactive approach to security issues both from a maintenance plan as well as a replacement budget for outdated equipment. Most of today’s users demand to use technology in new ways that leaves the IT professionals playing “catch up” – most of the time without success – which results in further stress points within the company’s organization in terms of communications between various departments, rollouts to accommodate the newly needed equipment and training to keep up to speed on the new technologies. Unfortunately, it takes a Stratfor-like breach to wake up a CEO and force the implementation of security policies and then hold an emergency meeting with the CFO to allocate budget for IT security tools and training. By that time, the CIO and the rest of the IT team are in reactionary mode, frustrated and stressed, and more often than not more mistakes are made. Fortunately, there is a solution, or at least the beginnings of one: Conduct a simple SWOT analysis that addresses threats and trends noted in reports; further explained in CRN’s 10 Security Predictions for 2012 or Kroll’s 2012 Cyber Security Forecast. Of those noted, these worry me the most:
Small and Medium Businesses (SMBs) Are Easy Targets
Unlike their enterprise counterparts, SMBs lack huge budgets and staff to address all the threats and vulnerabilities on the horizon in a timely manner. Targeted attacks like the Stratfor incident garner lots of attention, but the majority of hackers and cyber thieves are only looking for the path of least resistance which frequently leads to SMBs and that doesn’t make headlines. For example, one company had no idea their web server was breached and used to host a phishing scheme aimed at obtaining credit card information. Until they received a certified cease and desist letter from the spoofed Fortune 500 company’s law firm, they never knew the breach occurred because all of their applications still worked as they always had. This breach could have been prevented by routine maintenance and patching of the affected server or simply reviewing the firewall logs and addressing issues. If this work isn’t done in house, management must hire a company to do it for them and verify, verify, verify.
According to CNN Money, the number of wireless devices in the United States now exceeds the number of people actually living here. Calays, an IT research firm, estimates that smart phones outsold PCs in 2011. Each device connected to the business network becomes the business’ problem. Managing threats and vulnerabilities on a seemingly endless list of devices with countless software revisions can be overwhelming to most IT departments. Any one of these devices could introduce malware on the business network resulting in breaches of credit card data, banking information, consumer health records, or proprietary information. By far Android devices pose the greatest mobile device risk on the business network. Juniper Networks reports Android malware quadrupling late last year. Thankfully, Reuters reported last week that Google has been monitoring its app store for malware. Only time will tell if Android continues to pose a significant risk in the business network. In the meantime, businesses can enact mobile device standards and IT departments can use Mobile Device Management software to manage, monitor and secure devices accessing their network.
Not long ago most people were confused and had little knowledge of cloud computing. In fact, for a long time the industry couldn’t agree on a definition, let alone agree to any standards. As cloud computing becomes more understood and socially accepted, security concerns only become more amplified. Without industry standards, the onus is on the business to conduct thorough due diligence before adopting cloud computing. For businesses lacking the knowledge and skills to thoroughly conduct due diligence, a cloud consultant is crucial to helping executives to make the best business decision. In many cases, cloud computing is a more secure way of accessing and storing data. Reputable cloud providers typically have large budgets for physical security and very well trained technical teams.
My job as a consultant is to educate CEOs to make conscious decisions when it comes to securing their business. They have the choice to either address security concerns now through policies, procedures, and hardware/software controls, or address them at some later date, hopefully before a Stratfor-like incident.
With more than twenty years of IT experience, Theresa Schwab frees executives from worrying about their technology. Theresa is President of Austin-base CMIT Solutions, and can be contacted at: firstname.lastname@example.org
Are you interested in being a #CEO? Join us for a two-day seminar in February on how to achieve—and excel in—the #CEO role. Early bird pricing is in effect, so register today! eventbrite.com/e/aspiring-ceo…