Information security or cyber security continues to worry businesses and governments alike as hackers have repeatedly manifested how they can break into any network with whatever security shields. The problem hereon is that the security landscape is becoming ever more complex, making it extremely difficult for organizations to secure their networks on the cloud and on-premise. Any breach into the company network results in negative publicity, lawsuits and loss of business. The security breaches have tarnished the image of numerous organizations including banks, retailers and online companies, among others in the past few years. All of us have read about Ashley Madison, Sony Pictures, JP Morgan Chase, Ebay, Adobe, Heartland, and RockYou, to name a few. These are some of the cases which managed to surface in the press. It is believed that many such go unreported as companies prefer to maintain silence as well as absolute secrecy about them.
Given the challenged security landscape, Dataquest spoke to David DiCristofaro, partner – advisory services at KPMG to know how enterprises can deal with security threats. Excerpts:
How can you diagnose a potential security disaster in an organization?
Organizations are often challenged with hacks and breaches into their networks. However, the thought mostly is to focus on preventive controls and they are slow to learn from incidents. Ability to handle the breaches or security incidents matters a lot in today's world, since it is next to impossible to build digital fort knox. Whatever steps you take, whatever solutions you implement or whatever shields you create, hackers have to succeed only once. What sets you apart from is your reaction to the cyber incident. It is better that the processes are set in place to deal with security incidents. The constant realization of being hacked or attacked is the best security measure any organization can take.
All things in IT are getting simplified, except for security. Is there a hope that IT would become inherently secure in the future?
IT systems are becoming relatively simple and easy to use while they are getting complex at the back end. With the increased complexity at the back end, there are increased opporuntities for systems to become vulnerable. Given these times, security require focus beyond the normal since the world is increasingly getting more connected. Enterprises need to take cyber security as “board level agenda” which means CXOs need to consider Cyber Risk as Business Risk, otherwise the organizations will not be able to deal with this risk comprehensively. CEOs and CXOs should be in active dialogue with CIOs and CISOs around the topic of security.
In addition, today’s enterprises are not single entity, they have other key stakeholders including suppliers, service providers, agencies and partners, etc. All these stakeholder play extremely important role in managing overall cyber risk for enterprise. There are multiple cases where simple sounding controls (access revocation of third party supplier) were not enforced which led to eventual cyber incident.
What has enterprise security to do with people or humans? How can the people management in any organization help minimize the security risk?
Enterprise security has multiple components and one of the key component (which is also most exploited) is related to human/ people element. The challenge with human risk is that its very unpredictable and its almost always compounded with lack of awareness.
Social Engineering/ Phishing has emerged one of the ways that attackers use to break in to enterprise systems/ information, by gaining access to sensitive information through gullible/ uninformed people. The risk extends beyond the boundaries of enterprises, through third party service providers and their resources/ employees, who have access to information.
Another area where organizations need to be mindful is the resources being taken for carrying out ethical attacks (hackers hired by company to break into their networks so that the problems could be identified and fixed well before they hurt the company) have been assessed for their background, there have been instances where these attackers do not report the vulnerabilities to the enterprise and exploit them in disguise of someone else.
How can enterprises deal with the challenges that emerge after adopting hybrid cloud? Dealing with the private and the public environment makes management complex, doesn't it?
Cloud adoption is no longer a question which may get negative response due to security considerations. It has become key component for organizations to leverage on the power of cloud and ensure that associated security controls are also deployed.
Organizations have to work with service providers to protect their cloud environment, especially at a time when BYOD (Bring Your Own Device) has been an accepted trend globally. Organizations can identify applications which can be hosted in the public cloud and the private environments. They can deploy adequate layers to curb the potential data theft risks. Most critical data can be confined in the private environments.
Most important part in the cloud journey is none other than the kind of partner you are working with. Organizations should work with trusted, experienced and reliable cloud providers. We believe that as the market matures only trusted partners would matter in the cloud journey. Given the rise of trusted partners eventually, cloud will be more secure in the future.
What are the best ways to deal with cross-border cyber thefts?
Cross-border cyber theft is a reality and organizations need to be prepared to deal with them. The challenge emerges that large global organizations go out across regions and open there subsidiaries to tap in to resources, skills, and at times tax advantages, however, these organizations have now hit with reality that this could also expose them to increased cross-border cyber threats/ crimes. The complexity get enhanced due to there not being one common standard law to deal with these incidents and in virtual world it any how becomes extremely difficult to establish the real identity of individuals.
The organizations need to realize this risk as part of BAU operations and build adequate controls environment to deal with the same.