Consider how we rely on the Internet for communications (e-mail), information (Google), shopping (eBay (News - Alert), Amazon), banking and even telephone calls (VoIP).
If there were a market for human dependency, the Web would be a market share leader.
It’s a phenomenon that hasn’t escaped the notice of criminals long engaged in fraud and theft. In fact, if we believe the experts, it’s one of the United States’ most pressing national security measures – even more so, as the U.S. government approaches $100 billion in IT spending per year.
But what does that mean for small businesses?
As we learn in an interview (below) with John Calvin “Cal” Slemp – a managing director with Protiviti, a global business consulting and internal audit firm specializing in risk, advisory and transaction services – cyber criminals know that smaller businesses typically are more penetrable than larger ones.
And what about when the criminal trying to “break in” to a business’s computer network is already an employee at the office?
Interestingly, Slemp told us that about 60 to 70 percent of the threat to an organization lies with an employee.
In the course of a conversation that ranges over what President-elect Barack Obama might to do bolster the nation’s computing defense systems, to the threat of mobile hacking in an increasingly mobile workforce, Slemp gives some practical advice to smaller businesses seeking to control such threats.
Our exchange follows.
TMCnet: As we witness a change in leadership in the White House, particularly as the inauguration of a U.S. president that many say is the most tech-savvy in history, much attention is being given to cyber-security. This month, the Center for Strategic and International Studies released a report saying that the extent of damage already done in government offices by cyber attackers, including those doing work on behalf of terrorist groups, is largely unknown. Give us some idea of the scope of cyber attackers’ work. How organized are these people? About how many are there? Where do they live?
John Calvin “Cal” Slemp (pictured left): It is important to remember that crime, espionage, and protest are not new phenomena. Technology advances have just provided additional tools for those who focus their time in these areas. Governments, businesses and individuals should continue to understand that they are potential targets and assume that anyone who has something to gain will actively try to take advantage of any weakness they can find. The more there is to gain, the better funded and organized the criminals will be. Hackers, cyber terrorists, and others with criminal intent will continue to learn, adapt and become more focused and creative in their efforts.
TMCnet: As TMCnet reported, Cisco this month released a study saying that cyber-attackers are becoming more sophisticated and their attacks more targeted. What strategies can groups such as smaller business adopt in order to protect themselves?
JS: The foundation of an effective security program is awareness. This begins with the recognition that any size firm can be a target. In a digital world, an IP address is very much like any other. While some cyber criminals specifically target large companies, they also know that smaller organizations typically have less well developed security programs and can be easy targets. Being aware of such risks and giving them thoughtful consideration is essential to the overall success of an organization’s risk management program. Additionally, having the right policies and procedures in place adds value to the program as a whole.
Among the tactics that we would recommend include employee awareness and training. This awareness needs to extend to the employees and partners of the organization. Employees need to understand the concerns the organization has and the policies that have been developed to address them. What’s more, they need to know their part in the enforcement of the policies and how they personally can impact security and privacy practices.
We also recommend network segregation. When the Internet is leveraged for e-business or other purposes, it should be separated as completely as possible from a firm’s internal network.
Data-centric security and encryption also is important. The data that resides in the organization is the primary target for criminals and having a data-centric view of security is helpful. A firm needs to understand the value of specific data and who has access to it. There are several ways to reach that understanding as well as develop procedures that will allow you to identify negligent activity. One way to minimize the impact of any data theft is to encrypt key data.
It’s also important that businesses don’t rely on technology alone to protect an organization. Most attacks today pass straight through firewalls and attack applications. Viruses and phishing attacks are propagated in emails that rely on uninformed users to open and mistakenly act on. An effective security program is a combination of policies, practices, and appropriate technology – which all rely on informed employees to execute.
Also, companies should concentrate on their core competencies and seek advice and assistance for topics outside their areas of expertise. Management should leverage available expertise to build security programs that are consistent with the company’s business objectives. If you are not sure where to start, have someone internally or an auditing firm do an independent review to identify weak areas and help you move in the right direction.
TMCnet: Some of the most difficult attacks to defend against apparently are “inside” jobs, where employees with some form of authorization phish around and steal information. How hard is it to find out who these people are, and what can executives do to pre-empt their attempts to commit illegal acts?
JS: There have been a number of studies over the years and most conclude that 60 to 70 percent of the threat to an organization lies with the employee – the “insider.” Unfortunately, difficult economic environments tend to have an attendant increase in employee-based crime.
Countries have different laws, customs, and views regarding acceptable behavior on all levels, not just with regard to acceptable handling of corporate information. A company must put a clear information security policy in place and constantly educate its employees about it. Among the elements of a good policy are the clear articulation of who “owns” the information, how the company is protecting it, what it expects from its employees, and the consequences of not complying with the policy.
The best way to pre-empt internal attacks is to reduce the opportunity for it and make it clear that activity on the network is being monitored. Make sure that good identity management and access controls are in place. Give people the minimum level of access they need to do their job and eliminate shared passwords. Review application and network access rights on a regular basis to ensure they are still appropriate.
Even though laws regarding workplace surveillance vary around the world, companies can employ many approaches to protect their assets. There are a number of tools that can be used to detect internal snooping or attacks, and can monitor database and network usage as well as control exporting data to removable media all in an effort to perform what is called “data loss prevention”.
It is not difficult to put a program in place to identify if an employee is acting inappropriately. But that program is enhanced when a company sets, and constantly communicates, what it considers to be appropriate.
TMCnet: Many of us in the IT world are anxiously waiting to see whom President-elect Obama appoints in positions such as FCC (News - Alert) chairman and national chief technical officer. Some are calling for Obama to set up entire agencies dedicated to cyber defense. What do you think ought to happen at government’s top levels in order to ensure that Americans are safe?
JS: Citizen safety and cyber security intersect, but they are not the same thing. Both are topics requiring attention and action. Importantly, neither is achieved solely by a government or laws; there is a need to combine efforts in the private sector with individual actions and public sector support. I believe an open dialogue between industry and the government will greatly assist in defining the problems as well as ways to address them.
TMCnet: The CTO of one company, Airwide Solutions , talked to us at length recently about the possibilities of hackers getting at businesses’ confidential information through smartphones. The threat appears to increase with an increasingly mobile workforce and improvements to the mobile Web. At a company, for example, that is spread out and takes advantage of smartphones and telepresence for communications, what steps can should be taken to make sure confidential information isn’t at risk for exposure?
JS: Smartphones provide a good example of a broader issue: How to introduce and leverage a new technology into an environment while maintaining the levels of information security a firm wants in place. Good security policies and practices are ones that expect changes, identify them when they occur, and rapidly adapt to their presence. Smartphones create another connection to a firm’s IT environment and can be used to access, create, and store information. To make sure that appropriate security controls are defined, it is also helpful to think about the lifecycle of the device from acquisition through to disposal or loss.
Some general recommendations include only allowing smartphones that meet the security requirements you have put in place for other devices – for example, data sent and stored can be encrypted, the device is password protected, only allow predefined and tested applications to be installed. Also, restrict the functionality of Smartphones where possible – and particularly prevent third party applications from being installed as they can subvert security controls.
Also, companies should restrict access to their networks – only provide access to what is needed on the road and only for devices that have been approved.
It’s also important to ensure that applications have an embedded authentication method for user access and are built so that a person cannot break out of the application and traverse the network easily. There also should be a good process for lost phones and ensure this process is communicated broadly and frequently. Note, if the phones are not company-owned, you may never know that a device is lost
Finally, never resell phones without securely and completely deleting their data.
Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.
Michael Dinan is a contributing editor for TMCnet, covering news in the IP communications, call center and customer relationship management industries. To read more of Michael's articles, please visit his columnist page.
Edited by Michael Dinan
Internet Telephony Magazine
Click here to read latest issue
CUSTOMER 
Cloud Computing Magazine
Click here to read latest issue
IoT EVOLUTION MAGAZINE
