Cyber security Part 1: What can businesses and organizations do to protect themselves?

By Maureen Aylward

From Sony to Lockheed Martin to PBS, cyber attacks are on the rise and increasing in sophistication. Even the US government announced that a cyber attack by a foreign government constitutes an act of war. How can companies, governments, and institutions protect themselves? How will cyber security change to meet the rising threats? Our Zintro experts weighed in with such fantastic responses that we are doing a three part series to address this from the perspectives of organizations, industry, and governments. This is Part I in the Zintro Series on Cyber Security.

D. Sedlack, a security expert, says that solid design and changing corporate perceptions can mitigate risk while allowing businesses to function and become more efficient. “There are several issues, the main one being that products are no longer allowed to mature, which leaves gaping security holes, even in security-driven products,” says Sedlack. “Poorly designed networks, like products, lead to overly complex or simplified designs that make compromise inevitable.”

So how can companies and organizations protect themselves from such activities? “Businesses and organizations can mitigate much external risk through proper network design. For less than $500, even a small not-for-profit can install a decent firewall that provides adequate protection and functionality for their daily IT activities. Larger businesses or those dealing with more sensitive information, personally identifying or relating to children, must take additional precautions,” explains Sedlack. He suggests businesses do the following to stay protected:

  • Check existing firewall support.
    Monitored firewalls are important, but proper infrastructure design is paramount. Publicly exposed data, for most sites, should be static enough to monitor and report changed, authorized, and unauthorized access. Back-end processes should be regularly monitored and any database activities must conform to current standards. Open ports should be limited to real productivity and expressly block open web browsing.
  • Conduct an infrastructure assessment.
    An infrastructure assessment should include internal and external penetration testing that covers existing requirements and anticipated changes for the coming year.
  • Review information security policies.
    Information security policies should include procedures for technical issues, reporting chains for real or perceived intrusions, and most importantly, support for any security-driven action by the entire management chain, including tail-gating, open-desk policies, games, or social networking.
  • Conduct perception analysis throughout organizational levels.
    “If employees are either ignored or chastised for reporting seemingly perfunctory information security incidents, even the most expensive and extensive technical solution will fail,” says Sedlack. “Each organizational group should perceive information as important and understand what it means to the business and its clients.”

Hadi Hosn, an information security expert, says that organizations are undergoing a period of rapid change driven by innovation in technology, which exposes them to new and emerging threats in the cyber security space. “The serious impact of these recent breaches is putting pressure on all organizations to take immediate measures to protect the information they hold,” says Hosn.

Hosn points out that there are implications for organizations that do not appropriately managing cyber threats, which include:

  • Financial loss resulting from the leakage of intellectual property to a competitor;
  • Penalties imposed by regulators for not properly securing sensitive information, such as staff or customer personal information; and
  • Damage to reputation and the brand as a result of media exposure highlighting a security incident or a lawsuit brought by employees or customers who are impacted by a cyber attack.

Matthew Goodmanson, an information security consultant, says that new security tools and process are created in a reactive response to a known threat. “Companies that create or provide security tools and services are not in the business of creating solutions to problems that don’t exist yet. They simply react to the need,” he says. “Organizations unfortunately are in the position of only having an information security framework in place that addresses current and know security threats. It’s the hope that security products will be positioned well enough to address any threats that surface tomorrow.”

Goodmanson suggests that organizations review the following to assess security gaps and potential areas of weakness:

  • Conduct an introspective audit on current security policies, procedures, and standards;
  • Determine what information must be secure;
  • Define who can have access to it;
  • Determine how authorized users access information and what they can do with it once they have access;
  • Conduct a gap assessment on where the organization is in protecting data and where it would like to be; and
  • Develop and/or modify current information security strategy to invest in new technologies or modify existing practices and technologies to get to the desire secure state.

James Anderson, president of Professional Assurance LLC, says that cyber attacks range from rogue e-mail attachments that entice users into giving personal to massive attacks designed to steal personal financial data and proprietary information and disrupt critical infrastructure. “The problem in confronting these issues is not that companies incorrectly perceive these actions but rather that companies have incorrectly perceived the time domain of cyber warfare,” says Anderson.

He says that when a cyber attack impairs the mission of a company there is a sense that companies must respond forcefully and effectively to limit the damage and prevent further attacks. “Companies will traditionally try to reduce vulnerabilities and that can look like a disaster recovery plan,” says Anderson.

“The most important single thing a company can do to prepare for a cyber attack is to develop and operate comprehensive logging and intrusion detection tools,” says Anderson. “Organizations have simply not invested in the kind of essential logging tools that are crucial to the successful identification, neutralization, and possible retaliation to modern cyber attacks. As more and more firms actively move mission-critical operations to the cloud, the value of such tools increases exponentially to threatened companies.”

By Maureen Aylward

What do you think?

If you have a question or comment about the cyber security industry, we would like to hear it. Click here. Would you be interested in signing up to be a Zintro expert and generate free leads for your business? Click here.