What CIOs Ought to know about Building a Secure Workplace
Information security has always been one of the core concerns of CIOs.
And this will be no different in 2016: a study by TechTarget found that 27% of IT leaders chose IT security as the top IT project for the year.
While the specific tactics and tools needed to secure the workplace will depend from company to company and industry to industry what remains consistent is the importance of a security conscious culture.
And building a culture of security is much harder than drafting policies or acquiring an expensive intrusion detection system.
Because let’s face it, the problem here is always been between the keyboard and the chair, no amount of stringent technical controls can compensate for the human element.
Target, the big box retailer suffered a data breach in late 2013 when attackers made off with 110 million credit/debit card credentials of Target customers. The information stolen included:
Target suffered a massive blow to its brand in the aftermath of the attack. It’s transactions during the peak holiday shopping season fell 3 to 4% with losses worth millions of dollars.
It had to slash its revenue and growth numbers, lay off 475 employees and leave 700 posts unfilled.
It is estimated that the data breach alone cost Target around $200m.
A post mortem of the breach indicated that Target’s systems were not directly targeted by the attackers.
The attackers backed their way into Target’s corporate network by compromising a third-party vendor…Fazio Mechanical, a refrigeration contractor.
A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for — Fazio Mechanical’s login credentials.
At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection.
After accessing Target’s internal network through its vendor portal the attackers started scouting for vulnerabilities. IPS/IDS systems flagged the suspicious activity “but the warning went unheeded”.
Malicious software eventually wormed its way into the company’s POS systems and siphoned credit card data over a period of months.
See how the root cause had nothing to do with technology? It had to do with policies and humans.
What if the vendor employee hadn’t opened the phishing email?
What if Target had insisted that all vendors use standard security software?
What if Target had better logging policies to catch system warnings from security systems already deployed?
Back in 2009 reports emerged that Iran’s nuclear reactors were crippled by a worm called Stuxnet (its code is openly available) which disabled the centrifuges.
If a worm can shut down industrial equipment not even connected to the Internet, think what it can do to your workplace where everyone has a mobile device and is always connected to the cloud?
Here’s what you as a CIO should think about when it comes to securing the network:
1) User education
This is by far the hardest job, but the most essential. Every user can be a potential ingress point for attackers, whether through a carelessly clicked link on an email or by neglecting to update their mobile app.
Regular education about the risks out there, as well as the mitigation factors available should be part of your plan.
2) Security first design
Security considerations should permeate through every service, internal or external, that the organization uses. You must sensitize your colleagues about the dangers and the prohibitive costs associated with security as an afterthought.
3) Manage access
More often than not security incidents are caused by insider threats. You will have to build policies which determine how employees are treated by the system in the context of access to corporate digital assets through the entire period of their association with the organization.
There is also the need to have a limited number of heavily monitored access points into the core network so that suspicious traffic can be easily monitored.
4) Involve external stakeholders
Like in the Target breach where an external contractor was the unknowing conduit, security must not stop at the edge of the network.
You must also think about the security of third party systems over which you have no direct control, and ensure that their processes are aligned with yours.
For most people security is often trumped by usability. For e.g. if you adopt two factor authentication and offer it as an option, most users would prefer to stick to the older username-password regimen.
A CIO must need to be sensitive to such concerns as well while considering the implications of security policies, and work with everyone to build a consensus around security.
CIOs in 2021: New Mindsets, Cultures and Leadership Rules
Top Strategic Priorities for CIOs in 2021
Seven Ways COVID19 has Changed the CIO Role
Guidelines for Effective Risk Management in the Digital Era
Seven Guidelines for Transforming Your IT Department in 2020
API Management: A Powerful Tool for Creating Business Value
Hyperautomation: The Basics you need to Know
Outsourcing: How to Pick the Right Partner and Location
Digital Twins: A Vehicle for Safer, Trusted and More Efficient Industrial Processes
Surviving Cybercrime in 2021: Guidelines for Effective Cybersecurity Investments
We're here to help!
No obligation quotes in 48 hours. Teams setup within 2 weeks.
If you are a Service Provider looking to register, please fill out this Information Request and someone will get in touch.
Outsource with Confidence to high quality Service Providers.
If you are a Service Provider looking to register, please fill out
this Information Request and someone will get in
Enter your email id and we'll send a link to reset your password to the address
we have for your account.
The IT Exchange service provider network is exclusive and by-invite. There is
no cost to get on-board;
if you are competent in your areas of focus, then you are welcome. As a part of this exclusive