Security has become sexy and it has become widely accepted. TV shows sport trendy security speak and security gadgets. Forensics is so popular that all the major networks have shows based in some part on forensics. Indiana Jones (Harrison Ford) starred in a movie named, oddly enough, Firewall. I thought Firewall was a much better movie than Swordfish with John Travolta and Halle Berry, even though Berry is much cuter than Ford. I would be remiss if I didn’t mention 24 or CSI:Everywhere.
For all the marketing, awareness, and research being poured into Security one might think we would be able to solve the rampant Security problems of the current era: Data Loss, Fraud, and Identity Theft. Unfortunately, there are two competing dichotomies undermining or taking advantage of security visible in the following observation: businesses often fail to embrace security, because of perceived costs or rigidness, until after it is too late, because criminals find security, or rather the lack of security, a very profitable proposition.
Looking at one aspect of why things are where they are:
Business: The Flaw with Consensus
In a perfect world, businesses map out their business model, identify their assets, determine their risks, and implement policies and measures to mitigate or accept those risks. Most businesses pick and choose security models inside their company based on their access needs and use of the data in these electronic storehouses. Security is always a balancing act because it gets in the way of a business’s bottom line and exceptions to newly implemented policy are often needed in order to continue business operations. As long as security is ruled by consensus, these compromises will leave lasting effects that can be leveraged by the bad guys.
The Security Landscape ends up being the sum of compromises instead of the artifact of Security Policies and Practices.
Enter The Bad Guys:
Unfortunately, the bad guys often have more interest, resources, and desire to exploit security than their would-be targets have to protect themselves. In fact, Organized Crime has more money to spend on and to be made from gaining access to electronic record storehouses than the businesses that own these electronic record storehouses typically invest in securing these storehouses. Sadly, the bad guys don’t care if their target is a Fortune 500 company or not.
Small businesses make as good a target as any major brand or corporation and because of the dependence on the Internet, more and more companies are exposing their information to more and more of the world. This exposure is universal and provides a virtual play ground for the bad guys to take advantage of these businesses through network probes, phishing, pharming, and botnet attacks.
If this weren’t enough, for a given business that manages to place adequate security in place, to thwart electronic trespassing, there is always the human factor. Disgruntled, under-paid employees litter the landscape of every organization on this planet who would welcome an unexpected payday for sharing their password or other sensitive information. its more efficient to probe the network defenses of a company than identify these disgruntled employees.
What can we do?
Know your business, identify the risks associated with how the business works, and carefully consider how to mitigate these risks. Take the time to understand the technology, people, and processes used in your business. Map out a security strategy that compliments the business.
It isn’t necessary to spend a fortune on security or have the latest and greatest widget from Cisco, IBM, or Microsoft. A good technology or security consultant can be worth their weight in gold. If your business is going to rely on technology, it would be wise to retain and listen to staff that fully understand said technology versus relying on product vendors who are notorious for over-promising ad under-delivering.
The saying is very true: an ounce of prevention is worth a pound of cure.