Security breaches might seem inevitable if you’re paying attention to the headlines lately, but organizations can avoid that fate by focusing on just four areas, according to four experts on a security panel hosted by IT World Canada CIO Jim Love at the Canadian Wireless Trade Show Oct. 18.
The first thing is to understand their assets. Or as Jason Doel, chief operating officer and co-founder of Tracker Networks put it, “companies need to know what their Crown Jewels are. The fact is that organizations have a lot of data. Some data, if released or stolen, would have minimal, if any impact. Other data, if taken, corrupted or released publicly could have a severe impact. In a world of constant threats, where every company’s defences will be breached at least once, and where resources are always an issue, companies need to prioritize and put their focus on protecting the data that is most important. Without an inventory and classification of all their data, it’s impossible to figure out where the maximum effort should go.
The second thing that organizations need to do is assess the risks they face. Bob Steadman, vice-president of security for Herjavic Group, another panel member spoke of the need to assess risks from a number of aspects that are not technical such as culture. policy and process Steadman told the audience that “People are still the weakest link.” Doing this well would lead to ensuring that all users would have strong passwords and would protect those passwords from exposure. It would mean that they would be suspicious of links, attachments or any other “phishing” attempts.
Third, companies must pay attention to the basics. According to David Masson, the Canadian country manager for Darktrace, that means ensuring that all software is updated, applying all security patches as they are available. As Masson pointed out, a large majority of breaches are simply a result of companies not applying patches that are readily available.
The first three recommendations dealt with what to do to prevent a breach. But panellists were equally adamant that you needed a plan for what to do when you do have an incident. Brian Kocsis, the CSO of Meridian Credit Union said that you have to “have to have an equal balance of protection and detection. You need to prevent unauthorized access, but equally, you want to detect any threat action as early as you can.” And when you do have an incident, you need a plan in place so that everyone knows how to respond, quickly and effectively. That plan, the panellists agreed, should include not only remedial action, but also specify who to notify and when to disclose.
“The recent Equifax breach, the time from when they first were breached to the time they notified those affected, was “simply unacceptable” according to Masson.
In order to know what to do and when to disclose, all panellists also agreed on the need for a clear plan of action in advance of any attack or incident. As Jason Doel noted, this plan is the foundation of all security. An enterprise risk plan and a committee of corporate executives to oversee it provide clear guidance on what to do and who to notify. This also ensures that “ the right people are at the table and that everyone is aligned in terms of understanding and action.”
It sounds simple, but it’s actually tough for many companies to do, Love noted. But the vast majority of security incidents can be traced back not to a technical wizardry or enormous efforts, but are the result of the failure to pay attention to the basics – knowing what you have to protect, assessing the risks in light of your priorities, recognizing that security is a business issue and having a clear plan of action for when the inevitable happens.
The panellists all agreed that for every company, a security incident or breach was inevitable. Referring to the recent discovery of a flaw in the WAP2 protocol which exposed security flaws in almost all of the wireless routers in the world, Masson said that some people had mentioned that it would require a lot of expertise and timing to mount such an attack.
“By Friday you’ll be able to download a script that will make it easy to execute an attack,” he said. It’s inevitably these tools will be shared across the Dark Web, “bad guys aren’t afraid of their stuff falling into the wrong hands.’