As my colleague Mark Wettlaufer says,”Cybercrime is beating up the world.” It’s only a matter of time before it hits companies that don’t take decisive steps to protect their assets, brand, employees and customers.
Open, sesame or open, sesame?
When talking about what CA Services does, I often use a construction analogy. But our job doesn’t end when the house is built, the sod is laid and the family has moved in. Think of a business as a house with multiple modes of ingress. Doors, windows, electrical and water systems, cable and wireless are all gateways for people with malicious intent. Without a strategy that safeguards every mode of ingress, your doors and windows might as well be wide open. To deter break-ins, you can plant a virtual ADT sign in the front yard, but serious security requires assessment of the gaps in your defense, planning and investment. If you’re concerned about the cost, measure your assets’ value – and determine what you’re willing to pay to secure them. I would insert another subhead right about here But protecting the walls of your “house” isn’t enough. Multi-layered protection that confirms user identity, provides access only to pre-approved users, and identifies, encrypts and secures data is essential. Risk versus reward has to be weighed: While some companies have to be very risk-averse, locking everything down creates challenges to functioning at all. If we don’t know where data lives, we can’t find or control it, and it’s easier to find and control data in the core. Once liberated from the core, data can move anywhere inside or outside the organization, increasing exposure to unauthorized parties. Data protection that starts at the core can work its way to the perimeter with policies that recognize intersections between business units and between the company and outside partners.
Threats from third-party providers
Business partners can bring great risk and great benefits. The problem, again, is loss of control. (The Wall Street Journal reported that Target’s hackers gained access to Target’s network by stealing a refrigeration contractor’s credentials.) We don’t see that kind of control much today, but likely we will within the decade.
Employees are a company’s biggest asset and strongest control against threats, but they can also be a wild card. Employees are inside the house, moving data from server to server and office to office. Protecting content—not just objects that house the content—is becoming more relevant to protection. Because content is more specific than objects, content-based policies can be written for any contingency. For instance, policy that prohibits Social Security numbers from being emailed or transferred to a flash drive can’t prevent users with access to objects containing those numbers from sending them to other locations via FTP. Content-based solutions are the next logical step for security beyond identity and access management and reporting solutions.
Do you perceive what I perceive?
One thing is clear: Security is no longer a back-office operation – and is now a market differentiator. One’s security footprint often makes or breaks a negotiation. Lack of security can change public perception of a company in seconds. That goes double for high-profile companies, because broad media exposure makes companies the next juicy targets for people with malicious intent. To mitigate the expense of security – and of becoming a major news story – companies need to be proactive. If they wait until the specter of a breach is upon them, they won’t be in a good negotiating position. What security issues keep you up at night? Please comment below.