Cyber-Security: The Best Plan Of Action To Keep Your Data Safe

10 Stupid Moves That Threaten Your Company's Security

The cyber thief develops a new advantage, breaks into an IT system, and swipes data. An enterprise spots the hack too late, figures out how it was done, and changes its defense to stop the hack from happening again. The defense holds until the cyber thief figures out the next work-around.

That is the action/reaction cycle. Like a perverse iteration of Newton's third law, every clever action is followed by an equally clever reaction.

Companies are getting wise to this, adding depth to their cyber-defenses to contain, rather than prevent breaches. Yet, there can be no change in strategy without a change in thinking first.

Flu Shot

"The cycle will continue, but that is not the end of the world," said Haiyan Song, senior VP for security markets at Splunk.

Security is not Splunk's first mission. The firm specializes in offering Software-as-a-Service-based big data applications. But in recent years, some Splunk customers have been using the platform for IT security.

[Get 4 Data Security Tips for CIOs.]

All it took was a change of thinking. Big data apps look for patterns such as insights that can lead to ideas about how to better sell a product or a service. Why not apply the same pattern-recognition capabilities to gain insights into who has been looking into data they have no business looking at?

"What we need is a mechanism for situational awareness," Song said. Once something is spotted that breaks the pattern of normal usage, the IT manager can respond by containing the threat. Here, Song falls back on biology to provide an analogy. The response would be no different than antibodies fighting an infection.

Figure 1:

(Image: Henrik5000/iStockphoto)

That, in turn has led to a shift in spending at the company. "Before, the money spent on prevention was four times [greater than] detection. Change the premise. We will never have airtight [defense]. Assume they are inside the system and let's invest in detection."

Looking Inside to Defend Against the Outside

Security is not enough. Vigilance and resilience have to be part of the solution, too. "We need a clearer picture of where the risks are and when we are under attack," said Ed Powers, US leader for Deloitte's cyber risk services.

Deloitte has counseled more than 1,000 clients in the past year about cyber risk. While boards and executives are paying more attention than they once did, and paying more money for security, their perception of the problem has not gotten better, Powers said. What, then, is adding to security risk?

"Over the last 15 years, we systematically connected our economy with the technology to share information, not protect it," said Powers. "It is possible to protect information, but it is costly to do it."

Next, no matter what business you are in, "you have to trust people," Powers said. "People make mistakes." Human errors and complacency create openings for malware to get in. Yet, "you have to continue trusting people," Powers added.

Finally, the connection between the organization and its strategic agenda magnifies cyber risk, Powers noted. "You can't afford to stop doing things," he said. "You are going to increase cyber risk over time." But you can't focus on securing everything.

Cyber-security gets especially tricky when one considers the "insider threat" -- the disgruntled employee who has access to your data. "How do you create a defense in depth and create vigilance without destroying a culture of trust?" Powers said.

At Deloitte, the cyber risk team works hand-in-hand with a human capital team, using behavioral psychologists to figure out what constitutes normal corporate behavior, and what does not. The challenge is to spot those workers who are acting

(Continued on next page)

8 Ways To Secure Data During US-EU Privacy Fight

(Continued from page 1)

differently from their peer group, flagging "anomalous behavior" without conducting a witch hunt, Powers explained. It's not simply a matter of notifying the "person of interest," but demonstrating to them that you are watching, he said. That creates a psychological constraint that should deter wrongdoing.

Limited Means

Corporations can shift resources more readily to cyber-defenses than can state governments. In this respect, government lags the private sector. "Our surveys show the average spend [on cyber-defense] across the states is about 2% of the total IT spend," said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). Contrast that with the 14% of IT spend the Federal government is devoting to cyber-security, or the 5%-8% of IT spend typical of the private sector.

"All governments and legislatures understand the security issue. They do not understand the aggressive nature of the threat," Robinson said. The effectiveness of the security spend is the challenge, since there is a "lack of integration between the business risk and the budget allocation," he added.

Cyber-security is a "never-ending journey," since the threat keeps on changing, Robinson noted. Recruiting the needed cyber-security people is a challenge since state and local governments can't compete with the private sector on salaries. The result is a "talent crisis" for state governments, Robinson said.

States are comparable in revenue to large global corporations, or even small nations. (If California were a country it would have the world's seventh largest economy, Robinson quipped). Each state is a huge repository for personal information for millions, or even tens of millions, of citizens, making the states hack-worthy targets.

Figure 1:

(Image: Henrik5000/iStockphoto)

Despite shortcomings in hiring and funding, there are steps states can take to improve their cyber-defenses. States can undertake consistent employee and contractor training to help avoid the mistakes that open access to IT systems. "It has to be a regular program delivered in digestible chunks," Robinson said. "It can't be one day every year."

[Read IoT Shows Its Worth to Businesses.]

Diagnostics and analysis can improve "defense in depth," spotting cyber intruders and shutting down their access to other parts of the data pool, Robinson added. States can also partition and classify their data, designating who has access and who does not.

It will take many steps to improve cyber-security, Robinson added. "It's not one silver bullet."

Raise the Bar

"People are starting to understand this is whack-a-mole," said Bill Stewart, executive vice president at consulting firm Booz Allen Hamilton. The best possible outcome in this scenario is a stalemate between the adversary and the cyber-defense. This breaks down as data grows exponentially, which is expected when the Internet of Things becomes commonplace. Stewart added that the whack-a-mole approach won't work for most companies. "There are not enough people," he said.

Security is a game of catch-up, since nothing is built at first with security in mind. That feature adds to cost. "We're adding these things on after the device is created. That is not optimal," Stewart said.

No matter how much security one adds, the enterprise will always be a target for cyber thieves. To paraphrase bank robber Willy Sutton, you hack a company because that's where the data is. "As long as there is value [to protect], there is no perfect security system," Stewart said. "But you can raise the bar."

The act of "raising the bar" means making it harder for the cyber thief to break in. That forces him to expend more resources to do so. If the resource cost becomes too high for the bad guys, some will drop out of the game.

Raising the bar could mean relying more on biometric log-on, or better credential management to limit access to data. Yes, this adds cost -- perhaps 5% to 7% -- but, as with much of IT, costs go down over time, Stewart noted.

You can even mitigate risk on the human side. "Educate the users so they are not as dumb as they once were," Stewart said. Simply getting workers to read an e-mail message before clicking on any attachment can be enough to thwart a spear-phishing attempt. With a phishing attempt, "there is always something wrong with them," Stewart pointed out. "They are not perfectly disguised." Companies can even test their employees by sending them "false phish," which when clicked would flag that employee for additional training.

Again, there is no single security fix that solves all problems. "You can't keep them out. But you can raise the bar," Stewart stressed.