Documente Academic
Documente Profesional
Documente Cultură
suppliers,
and
development
distributorswork
partners,
with
you
At its core, information security is about more than merely protecting confidentiality or
making sure your systems are safeit's about maintaining the integrity of your
systems, and thus your business and production processes.
Losing Trust
Every week seems to bring headlines about security incidents; 2014 included the
steady stream of leaks about National Security Agency surveillance as well as news
of breaches that have hammered JPMorgan Chase and Sony. In many cases, it
seems that hackers remain a step ahead of the existing countermeasures. (For more
information see the appendix, "From Attack-as-a-Service to Cyberespionage: The
Latest Trends in Hacking,".)
It's tempting to relax if your firm hasn't beenor doesn't know it has beentargeted
yet. Too often, we hear statements such as, "We are secure; nothing has happened
to us before," or "Our firm is not important enough to be a target," or "Security costs
are greater than the potential damages." Unfortunately, many studies have
demonstratedand many executives have learned the hard waythat these
statements simply aren't true. While there is no commonly agreed-upon number for
the costs of worldwide security breaches, estimates range from $400 billion (about
the GDP of Austria) to as high as $2.2 trillion (roughly the GDP of Brazil)between
0.5 percent and
2.9 percent of the world's GDP. And that doesn't take into account the damages from
lost trust your own trust, your partners' trust, your customers' trust, and your
employees' trust.
Breaches also can have unexpectedly long-term consequences. According to
security intelligence company Mandiant, the average attack goes 243 days
undetected, plenty of time for a hacker to plumb your company of its information. The
Sony hack of late 2014 highlights a most extreme case of stolen datathe release of
five Sony movies, the leak of thousands of executive emails to the press, and the
public display of employee information such as social security numbers, passwords,
and salary data. Once the "bad guys" infect a company, it can take months to win
back territory, all while facing the fear that important systems are sabotaged in
revenge and that there is more damage that has not been uncovered yet.
No single industry has the ability to defend all attackseven the best-prepared, most
technologically advanced industries, such as telecom and banking, have faced
embarrassing incidents and the exposure of reams of public data. Other, potentially
far more damaging incidents have been successfully hidden with high financial
expenses. In manufacturing, where safety (avoiding accidents) has long been a
focus, information security has not been a priority. The same is true for infrastructure
industries such as traffic and utilities (other than nuclear plants, where the information
security focus derives from the industry's larger safety and security mindset). Despite
the imminent threats, senior management awareness seems quite low across
industries. This is changing, but only slowly.
With digitization increasing, breaches are inevitable, and the magnitude and
frequency of successful attacks will only increase. Only a significant, society-wide
change in awareness may be able to slow downand later reversethis
development.
the damage after an initial breach. Information security policies clearly define
the requirements for security areas from data centers, devices, applications,
and production systems to processes and governance, such as risk
management, incident management, and the classification of information. And
guidelines for specific stakeholder groups (executives, administrators, and
external users, among others) serve as "best practices" specific to the
audience. This knowledge helps balance the desired level of protection against
the cost and effort to achieve appropriate securityin other words, the
acceptable risk that can be tolerated.
A well-defined road map defines short- and mid-term goals for information
security. Long-term goals would fail in a rapidly changing environment, or they
would come too late to address foreseeable issues.
Divisions and regions also have their own information security officerswith
dotted-line reporting to the CISO; other roles responsible for information
security are consistently defined throughout the organization and sufficiently
staffed.
Information security leaders make sure they understand the risks to all
business-critical processes. Business continuity management secures business
even in case of incidents for all critical processes. All required parties regularly
conduct training regarding business continuity plans, ensuring that operability
and continuous improvement stay up-to-date with changing requirements.
Identity and access management, which is often the eye of the storm of an
attack, is focused on the principle of least privilege. 1 Leaders have the checks
and controls in place to limit potential damage through insider attackers or
compromised accounts.
IT operations processes are designed with security in mind to reduce risk for
IT infrastructure and applications. Regular penetration tests verify the
effectiveness of security measures.
Technology. IT security is not the same thing as information security. The critical
difference is that information security accounts for the human factorwhich is central
Leading companies care most about the one attack they might missnot
the millions of malware attacks they know they can defend. These leading
security organizations are efficient in their technology use so that they are able
to spend more time working with the business side to secure core processes.
Culture. Culture is about the people aspect of security. Almost all major incidents
involve the human elementtypically some employees who are tricked into malicious
behavior. But expecting everyone to understand the risk isn't faireducation is
required. Then, companies can mitigate the risk by making all employees true
stakeholders of information security.
Culture is a key cog in maintaining solid information security for leading firms. Best
practices include the following:
Typically, companies vary in their performance across categories, yet often there is a
clear overall trend. Using A.T. Kearney's health check to assess performance,
companies can outline their objectives in each category and create a program of
short- and mid-term measures that lead to the desired state. A comprehensive
program can require three years to complete (see figure 3 on page 8).
Lastly, cost creep often occurs after a project is approved. Rigorous project
management independent of the (mostly technical) implementation provider that
keeps operational excellence and business objectives in focus will help avoid this.
German steelmaker was even harder hit when attackers tricked employees and
found their way from the business into the production network. Control systems and
entire production units reported outages, and then a blast furnace reached an
"undefined state," so that it could not be shut down in an orderly fashion. The
damage was massive.
Ransom. Extortion can be directed at any critical resources of a corporation or even
the entire business. The fall of Code Spaces, which offered a cloud-based software
as a service (SaaS) solution for software developers, is an example of the risks. An
attacker mounted a distributed denial of service (DDoS) attack, leaving a message
requesting ransom for this to stop while demonstrating he had access to the
configuration of the complete cloud services upon which the company was built.
When they tried to get control back the attacker used backdoors he had prepared to
delete essentially all servers and customer data including all back-ups using the idea
that cloud services are as easily decommissioned as created. Within 12 hours the
company declared its business was finished. It is worth mentioning they prided
themselves by saying "Code Spaces has a full recovery plan that has been proven to
work and is, in fact, practiced." It proved to be a false sense of security; it is not
enough to apply security measures, you need to consider absolutely all ways they
can fail, and prepare for them.
- See more at: http://www.atkearney.com/strategic-it/ideasinsights/article/-/asset_publisher/LCcgOeS4t85g/content/information-security-its-allabout-trust/10192?_101_INSTANCE_LCcgOeS4t85g_redirect=%2Fstrategic-it
%2Fideas-insights%2Farticle#sthash.wMUdhdk7.dpuf