Companies are more cognizant of the need for security for their business and customer data in 2016. Somewhat counter-intuitively, many companies seem more complacent than ever. Among many leadership teams, there’s often a sense that you direct your IT people to put in a firewall and SIM (Security Information Management) protocol and they’ve done their job.
Some rather high-profile hacks (in addition to the countless intrusions that don’t make the news) show just how well that reactive approach is working. We see how the secret files of the Democratic Party in the US are vulnerable to Russian hackers, heaping even more trouble on a controversial election. This month, France’s TV5 was “nearly destroyed” by Russian hackers wielding malicious software (Not all hackers are Russian, though some months it might seem that way). It just keeps happening. It happens so often that companies might be forgiven for thinking that there’s little they can do.
Security starts at the top
If hackers want in, they’ll get in – right? That seems to be the conventional wisdom at many companies. All the leadership can do is determine a reasonable budget to throw into their defenses and let their technical experts run the ball.
In some sense, they’re correct. A sufficiently-motivated attacker can eventually beat any IT defense. But recent revelations about Yahoo’s approach to security demonstrates the real weakness in many companies today: they want to (and need to) grow their businesses and if security gets in the way, protection can go out the window.
In broad outline, Chinese hackers hit Yahoo six years ago – and they weren’t alone. The hackers also got at Google and other stars of Silicon Valley.
Google literally adopted a ‘Never Again’ motto. Those words are so suffused with meaning and tragic history that there was no doubt about the company’s resolve. They hired hundreds of experts and threw massive resources at the problem.
Yahoo took a different path – one motivated by a very shallow and short-term business formulation, which sadly is not uncommon.
When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.
Given their declining competitive position, they felt the need to emphasize user convenience over security.
Unfortunately, the results were predictable:
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation.
Yahoo prized business growth over security and ended up with neither.
Introducing the risk matrix to help with business risk management
The lesson from the Yahoo cautionary tale is not to make the process as inconvenient for the user as possible, sacrificing scalability. Also, we’re not recommending that every company spends what Google spends on security. Neither option is feasible for 99.9 percent of companies out there.
But we do prescribe taking a proactive approach to security to mitigate risks with limited resources. Security is too important to leave up to a company’s security experts. The leadership needs to be involved.
This is where the Security Matrix comes in. When we undertake a network design, build or upgrade, our approach is to classify all data assets according to risk. This is part of good old fashioned business management to ensure continuity.
Recently we’ve been asked to create a strategy applying this approach to all of information security, not only networking. You start by looking at the data that the company has – and run through the worst-case scenarios. What happens if the data is locked out by a hacker who wants a ransom? What if it’s lost? If it falls into the wrong hands (and just who is the one with the wrong hands)? What if the data was suddenly open to anyone with an Internet browser?
There are many, many scenarios in the matrix. It helps companies understand the risks, to reputation, business continuity and competitiveness.
Companies that get complacent about security go with a top-down approach, assuming a firewall and SIM are the beginning and end of what they need. Companies that are serious about security use the matrix to plan a bottom-up approach, strategically identifying risks and designating personnel, processes and resources accordingly.
This approach requires the cooperation of executives working at the highest level. But again, for those companies that are serious, the C-suite are the ones demanding this kind of process. That’s what we do for our clients.
Is your company ready to get serious about building and protecting your IT infrastructure? Contact SwitchedLink today
