Data Security

Is Your Head in the Cyber Security Sand?

By |April 9th, 2015|Categories: security|Tags: , , , , , , |Comments Off on Is Your Head in the Cyber Security Sand?

“We started as a relatively small company. Through success and internal growth along with some acquisitions, we are now a medium- sized company using the same policies and processes as when we first started.”

Does this sound familiar?

If so, take solace in knowing that you are not alone, but things have to change. For many companies, growth has outpaced their policies and processes, which can be a risky situation, especially in cyber security.

In information security, due care means “acting responsibly and doing the right things.” While information security is a very complex field, there are certain basic building blocks that must be in place for every company.

Ask yourself:

Do you know your company’s most important assets, where they are located, and how they are protected?
Do your employees understand their role in information security?
Do you understand the major vulnerabilities within your company?
Do you know the major threats and threat agents to your company / industry?
Do you know how your company would respond in the event of a cyber attack?
When the topic of cyber security comes up, most people think about firewalls, intrusion protection/detection systems, and other technical solutions. While these are inevitably part of the solution space, if you are hesitant or unsure of the answers to any of the questions listed above, you could be negligent in providing “due care” for your company.

You probably understand the things that need to be done to make your company secure from an information perspective. Nevertheless, not taking action—even by doing something as small as raising the issue with your leadership—can be construed as not “acting responsibly.” Knowing what to do and actually doing it are two completely different things. There will always be the “hot,” critical project that needs
[ Read More ]

CIOs—Unsung Heroes

By |March 25th, 2015|Categories: security|Tags: , , , , , , , , , |Comments Off on CIOs—Unsung Heroes

In my 35+ years of being a corporate change agent, and now at the helm of my own consultancy, I have worked with all levels of the C-suite, and I have to say the CIO role is by far the most difficult. There are numerous reasons for this, not the least of which is an outdated model of the C-suite itself.

The fact is that most companies still view IT and the CIO role through the narrow lens of providing technology-based services; they have not broadened that view to take into account the stunning changes wrought by digital technology. IT is no longer simply responsible for building, operating, and maintaining infrastructure; it’s responsible for data governance, driving growth through data analytics, cyber security, connectivity and integration. However, since most organizations are peering through the old lens of IT-as-service-provider, they are blind to IT as a revenue-producer. The irony here is that Sales, Marketing, R&D, Finance, and HR—those typically considered revenue-producing—are only able to do what they do because of IT and IT’s ability to stay ahead of the curve.

According to a recent IBM study of 4,100 C-suite executives, only 42% of CIOs were involved in strategy, as opposed to 72% for CFOs and 63% for CMOs. This is puzzling. Since IT touches everything, the CIO has an enterprise-wide vision that would be invaluable in integrating an enterprise-wide strategy. Luckily, the IBM study suggests that this is turning around—the CIO is soon going to be considered one of the C-suite “triumvirate,”: CEO, CIO, CMO.

Another reason the CIO role is more difficult than most is that it bears sole responsibility for ensuring business continuity through critical service level agreements that define uptime, availability and redundancy.
[ Read More ]

ASSESSING YOUR ORGANIZATION’S CYBER SECURITY: THINK YOU’RE UP TO IT?

By |March 11th, 2015|Categories: Risk Assessment|Tags: , , , , , , , , , |Comments Off on ASSESSING YOUR ORGANIZATION’S CYBER SECURITY: THINK YOU’RE UP TO IT?

The Enron debacle will forevermore be a parable about delusional self-auditing. In much the same way, Cyber Security should never be assessed using internal staff and mechanisms, the ramifications of missing something are simply too great.

According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

Implement an information risk management program
Ensure network security is adequate, including boundary and internal
Guide user education and awareness
Verify malware protection and prevention
Deal with secure configuration and patch management for devices (network, servers, PCs)
Manage user access and privileges
Handle incident management
Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members,
[ Read More ]

Cyber Security: No Company is Too Small

By |February 25th, 2015|Categories: Security Assessment|Tags: , , , , , , |Comments Off on Cyber Security: No Company is Too Small

CYBER ATTACKS: NO COMPANY IS too small

Many companies think because they are small they are immune to a cyber attack—after all, they do not have the net worth of, say, Target ($38B) or Home Depot ($55B) or Walmart ($250B). This is a dangerous misconception. The fact is, whether you are worth millions or billions you are at risk, and your insignificant size might be the very thing putting you in jeopardy.

What makes a small business attractive to hackers? For one thing, smaller enterprises often don’t have the resources to implement the programs and training necessary to prevent, detect, and recover from attacks. Larger organizations do have the resources (including insurance) to weather a breach, but smaller ones may suffer irreparable damage. Another attractive difference is that while larger companies have a more holistic, integral view of IT security that extends across an enterprise, smaller companies tend to have a more myopic view where IT security is relegated to, well, IT. In addition, since smaller companies often have less sophisticated firewalls and detection programs, they may be targeted as a portal for later use as conduits to larger organizations. For example, preliminary investigations indicate that the mess at Target may have been initiated by an employee of their HVAC vendor who opened a malware-laden email. It has been said that you are only as strong as your weakest link, and all too often, that link is human.

Whether you recognize it or not, your organization’s systems and data are exposed in countless ways, including via mobile apps, third party vendors, remote employees, former employees, cloud storage, weak passwords, neglected legacy systems, and social media. In its September 30th report, Managing Cyber Risks in an Interconnected World:
[ Read More ]