The Finger Points at Security
Any damage to the company as a whole is damaging to security, because the bottom line impacts every business unit. But in the case of a network breach, security is directly in the line of fire. When senior management and the board come to find out how this could have happened, they will head straight for security’s door. Fortunately, it seems that security is not always the sacrificial lamb anymore. Security executives at companies that have suffered some of the biggest breaches in recent years still have their jobs. But if major breaches occur, the public may call for the ousting of security leaders, their reputation will suffer inside and outside of the company, and they likely won’t escape public embarrassment, since news outlets will be scouring their records and actions to find the hole that allowed the compromise.
Protecting from the Inside
There are a number of things companies can do to protect themselves. The right defenses depend upon the type of company, its level of sophistication or experience in information protection, and how it stores and transmits different types of information. But all organizations should begin the hardening process with a comprehensive risk assessment that is regularly re-evaluated. If your organization does not have the expertise to do this in-house, hire a consultant to help you through the process. The risk assessment is the only way to identify the appropriate measures to shore up the holes in your organization’s security program.
The risk assessment is also a requirement of nearly every law, guideline and regulation governing the protection of sensitive information. Most industries and sectors are now subject to their own information protection requirements, with heavy fines and penalties for noncompliance. (For a partial list of security-related guidelines and regulations, visit https://www.securityexecutivecouncil.com/public/lrvc.)
These guidelines and requirements should be viewed as a help to the security program, not a hindrance. They provide guidance on how to prevent common attacks in various industries, taking some of the guesswork out of the risk mitigation process. However, compliance with the applicable laws and standards still does not guarantee protection against data breach. Hannaford Brothers was compliant with the PCI Data Security Standards when its network was compromised.
“Compliance is helpful, but compliance does not equal security,” says Tony Heredia, Director of Investigations and Assets Protection for Target Corp. According to Heredia, private industry must partner with the public sector to investigate and prevent data breaches if they hope to protect themselves from this threat.
Preventing Through Partnership
“There are two key reasons this problem needs to be addressed jointly,” says Heredia. “First, the criminals who set out to breach networks are intent on beating any technological advances that are in place. They are spending all their time — 24 hours a day — figuring that out. So you can’t prevent everything with technology.
“Second, when something does happen, businesses need to partner with law enforcement to investigate it and rely on the criminal justice system to bring these people to justice. Both those groups need to understand the threat from a private-sector perspective, and they need the cooperation and help of the business’ investigative resources.”
Target believes this strongly enough to put their money where their mouth is. The company has been funding analysts at the National Cyber-Forensics and Training Alliance (NCFTA), which brings together subject matter experts from industry, academia, and government to provide advanced training and forensic analysis to reduce cyber vulnerability. Target has also positioned a full-time investigator at the FBI’s Internet Crime Complaint Center for the last few years.
Public/private partnerships are useful for prevention as well as for investigation and prosecution. Says Heredia: “The Secret Service works with the Carnegie Mellon CERT Institute every year to do a survey of the private sector to better understand the trends around network breaches, network intrusions and personal information theft, and the more aware law enforcement is of what’s going on in those enterprises, the better equipped they will be to handle those kinds of investigations.”
Shared information about how a company’s networks are constructed, the kinds of things being seen in their intrusion detection system, and what the virus software is picking up can help crime labs and groups like the NCFTA develop better parameters to detect this activity before it causes damage and makes headlines.