Information security has always been one of the core concerns of CIOs.
And this will be no different in 2016: a study by TechTarget found that 27% of IT leaders chose IT security as the top IT project for the year.
While the specific tactics and tools needed to secure the workplace will depend from company to company and industry to industry what remains consistent is the importance of a security conscious culture.
And building a culture of security is much harder than drafting policies or acquiring an expensive intrusion detection system.
Because let’s face it, the problem here is always been between the keyboard and the chair, no amount of stringent technical controls can compensate for the human element.
Anatomy of an attack
Target, the big box retailer suffered a data breach in late 2013 when attackers made off with 110 million credit/debit card credentials of Target customers. The information stolen included:
- Credit and debit card numbers.
- Expiration dates.
- Encrypted PIN numbers.
- Personal information (emails etc.) of additional 70 million
Target suffered a massive blow to its brand in the aftermath of the attack. It’s transactions during the peak holiday shopping season fell 3 to 4% with losses worth millions of dollars.
It had to slash its revenue and growth numbers, lay off 475 employees and leave 700 posts unfilled.
It is estimated that the data breach alone cost Target around $200m.
A post mortem of the breach indicated that Target’s systems were not directly targeted by the attackers.
The attackers backed their way into Target’s corporate network by compromising a third-party vendor…Fazio Mechanical, a refrigeration contractor.
A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for — Fazio Mechanical’s login credentials.
At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection.
After accessing Target’s internal network through its vendor portal the attackers started scouting for vulnerabilities. IPS/IDS systems flagged the suspicious activity “but the warning went unheeded”.
Malicious software eventually wormed its way into the company’s POS systems and siphoned credit card data over a period of months.
See how the root cause had nothing to do with technology? It had to do with policies and humans.
What if the vendor employee hadn’t opened the phishing email?
What if Target had insisted that all vendors use standard security software?
What if Target had better logging policies to catch system warnings from security systems already deployed?
Prerequisites of a secure network
Back in 2009 reports emerged that Iran’s nuclear reactors were crippled by a worm called Stuxnet (its code is openly available) which disabled the centrifuges.
Here’s what you as a CIO should think about when it comes to securing the network:
1) User education
This is by far the hardest job, but the most essential. Every user can be a potential ingress point for attackers, whether through a carelessly clicked link on an email or by neglecting to update their mobile app.
Regular education about the risks out there, as well as the mitigation factors available should be part of your plan.
2) Security first design
Security considerations should permeate through every service, internal or external, that the organization uses. You must sensitize your colleagues about the dangers and the prohibitive costs associated with security as an afterthought.
3) Manage access
More often than not security incidents are caused by insider threats. You will have to build policies which determine how employees are treated by the system in the context of access to corporate digital assets through the entire period of their association with the organization.
There is also the need to have a limited number of heavily monitored access points into the core network so that suspicious traffic can be easily monitored.
4) Involve external stakeholders
Like in the Target breach where an external contractor was the unknowing conduit, security must not stop at the edge of the network.
You must also think about the security of third party systems over which you have no direct control, and ensure that their processes are aligned with yours.
For most people security is often trumped by usability. For e.g. if you adopt two factor authentication and offer it as an option, most users would prefer to stick to the older username-password regimen.
A CIO must need to be sensitive to such concerns as well while considering the implications of security policies, and work with everyone to build a consensus around security.