I purchased my first network security book in 1996. Since then, I have attended dozens of classes, seminars and conferences on the subject. I have written dozens of articles and co-authored a book on it — and I am not alone. Conduct a search at Amazon.com for “network security” and more than 3,500 books are associated with the topic. In addition, numerous colleges and universities offer degree programs in network security and an untold number of security certifications have been created. One would think that with this increased focus on network security that digital data would be totally protected and difficult, if not impossible to steal or compromise.
Unfortunately, this is simply not the case. Technology does not stand still. New operating systems are created along with development of new applications and newer versions of old applications. New computing devices are also created. And all of these new developments add additional vulnerabilities to digital data. This means that the network security environment is constantly changing, and the “bad guys” are becoming more sophisticated. The lone teenage hacker is now being replaced by highly skilled, well-funded criminal organizations that are stealing information to generate revenue, not simply for bragging rights among their peers.
When an organization is evaluating the risks to their systems, there are four steps they can take:
• Ignore the risk. When you hear someone say, “I don’t believe that will ever happen to us,” or “No one would be interested in our systems because we are a small company,” they are ignoring the risks.
• Accept the risk. When a company understands the risk but does not apply any resources to protect from the risk, it is accepting the risk.
• Transfer the risk. For some organizations, it is more cost-effective to purchase insurance to protect from the repercussions of network security breaches as opposed to adding additional resources to security infrastructure.
• Mitigate the risk. When an organization dedicates resources to minimize the risks to the network, such as personnel, capital and equipment, it is mitigating the risk.
Of the three approaches, only “ignoring the risk” does not require some effort to determine the risks posed to systems. Before any determination can be made about how to approach risks, an organization must identify the systems that contain “mission critical” critical information and determine the impact of having that information compromised. This sounds like a simple process, but the biggest mistake made at this point is undervaluing the data on the systems.
It is fairly obvious (or should be) that losing healthcare or financial information would have a significant impact on a business. This can include lost reputation, loss of trust and numerous lawsuits — however, loss or corruption of business plans, marketing plans and client information can have just as significant an impact.