By Peter Rietveld. Security is difficult stuff – high tech by whiz kids that outsmart the best defenses. You may feel that nothing can stop that – that is what the press says, right? They are wrong. High tech attacks do happen, but not too often since in reality very simple attacks work just as well, due to the cluelessness of most organizations not covering basics. It will be a simple attack that brings down your company. Even if the direct damage is limited, the press will jump on it destroying your customers’ trust and eventually the company. Or some regulatory power comes jumping in with a major fine for non-compliance. Especially since that very basic attack could have been easily defeated.
Don’t think your company will never be a target, since you are in something trivial to criminals, say like home improvement. Well, that is what the people from Home Depot must have thought until they were owned last September, owned big time. Target, breached last year, lost 14% in stock value and 46% of its profits in Q42013 due to the impact in customer and stock market sentiment. Fixing the damage set Target back for another whopping $146 million. Home Depot is still crunching the numbers but it doesn’t look good.
It may be your employer that folds at the next major security incident. Or maybe they’ll just have to downsize which may not affect you as you are indispensable and extremely talented and your manager knows that and protects you. But then again they may downsize that manager and that leaves you with exactly nothing. So think again and stop dreaming. Now is the time to act. Ask your security office these nine questions: it may take you half an hour but it may save your house and your savings. Remember, you are a stakeholder too.
To help you prepare I set up a list to verify your employer’s security posture. If more than two of the key indicators listed below score a YES, devise a plan B which boils down to finding another place to work and sell any stock in your company that you have. Just in case, you know. If the score is over five, forget plan A and start executing plan B. And presto! Mortgage installments secured!
- When you report finding sensitive company information on the internet and the Security Officer tells you that ‘the internet’ is not in scope.
- When the company decides to outsource security as it is too complex to manage.
- When the company expects to improve security in a Security Awareness program that basically educates users not ‘to click on all attachments, unless it is from a reliable source’.
- When management leaves managing security to the IT people since it has to do with computers.
- When the Security department is researching whether to allow BYOD and adopting ‘the Cloud’.
- When the security policy does not mention secure disposing of printers.
- When InfoSec budgets are frozen because you’ve reached compliant status.
- When the legal department is set to veto decisions in an intrusion response plan.
- When the company assumes that since they’ve hired the best security specialist, they are secure.
Of course these are not the only relevant questions. But they illustrate the most dangerous fallacies around.
Note that if they don’t understand what you’re on about; mark that as a definite plan YES. If they won’t answer a question, it is because you just caught them pants down. Another YES. And if your company doesn’t have anyone ‘on security’, proceed to plan B right now.
And – just in case – you lack the time to describe how these points should be handled in clear writing for your soon to be former employer or coworkers, here is a cheat sheet:
- The sensitive information somehow got out on the internet, so there has been a breach of security anyway. If you may not be able to have the information taken down is not the end of the story – security is not just about plugging or preventing leaks but also about acting on them. The breach must be communicated to everyone that could be affected, even outside the company. In many cases that is compulsory by law, in some cases even by criminal law. But when the CEO does jail time, you’ll still be out of work, so don’t gloat.
- Outsourcing security is blame shifting to an external supplier. Remember, you can’t outsource what you can’t manage – and you will still have to manage what you outsource, but with several extra layers added. When managing security is too difficult, adding more parties to the mix will only increase the complexity. Make it as simple as you can – which will never be simple and less so in the future – and deal with it. Study and organize.
- An awareness program telling users to ‘just be careful’ is IT blame shifting to the end-user. The end-user can’t verify the validity of the source of an e-mail. Attackers go to significant lengths to appear to be trustworthy. IT however can verify the sender. IT can filter bogus mail on the email servers; this is what spam-filters do. End users however have no choice but to trust IT.
- Having IT manage security is lethal. IT will use ‘security’ to protect their jobs and their leisure: “No you can’t buy this product or use that cloud service as it is not secure”. Which actually means “our competition is no good” or “I have better things to do than look into something I don’t know”. What do you expect; you are asking the Turkey about the menu for Christmas. Also, to IT a security issue is something to fix just as any other incident. If the patch doesn’t work it’ll just be a new ‘incident’, grading way below giving network access to the CEO’s newest iPhone. Security is a different trade, as remote from system administration as baking an egg. These responsibilities just can’t be in one hand.
- When they are still discussing if BYOD or cloud is secure they are living in denial. Today’s employees have better applications in the cloud than they have at work. They have smartphones and tablets with the capacity the corporate network had in 1994. Can you blame them for using that all the time? They just don’t see the point in telling the people in IT or in Security. The only way to change this is by helping the users get value from what they’ll do anyway.
- Forgetting printers in a disposal policy happens when security organizations are stuck in the paradigm of desktop computing. Modern enterprise printers are basically computers that print. They are always on and always connected. They cache everything that is printed on an internal hard disk – unencrypted. Mind that people only print what is important – so the printer cache is the best place to find sensitive information. A policy for disposal should cover any device that caches data – printers, smartphones, even car computers. Something without a keyboard and a mouse may very well be a computer today.
- Freezing security budgets on passing a compliance test is wishful thinking. Security is an arms race; security requirements go up since the threats evolve as the defenses improve. Compliance follows with a time delay, but follow it does. All the big companies owned the last year where compliant, but owned nevertheless. So new regulations are upon us, and new best practices. Any organization should prepare for the next level, today.
- having the legal department veto security processes is the security department ducking from operational responsibility. It is the job of security to know the impact, help management decide and carry the burden of responsibility.
- Hiding behind we’ve hired the best is blame shifting to an external advisor. Hiring the best consultants is good; but did the company actually do as the specialists advised? Did the consultant really advise what is best, and not what was politically correct, even if it would be highly unwelcome? And, of course – how do you know someone is the best? Unfortunately, a high price is no guarantee. You must realize that you can’t see how high a mountain is from down in the valley. The motto is: trust, but verify. And to be able to verify; study, study and study some more.
All these questions illustrate fatally flawed security thinking and all nine are from my daily work as a security contractor over the last twenty years. I hope they help you secure your future: cyber security is no longer an issue just for the techies and not even the boardroom. It has now reached the point that corporate empires are collapsing. You, the ignored stakeholder, must now take action.