In the annals of executive management, it’s safe to say that chief executives and IT security professionals don’t have a close working history. However, in the wake of such massive and highly publicized security attacks on corporate giants like Google, Amazon, Citibank, JPMorgan and Lockheed Martin, today’s CEOs have realized that IT security is an issue that is as much their area of concern as financial performance. In fact, the two are very closely aligned.
The central issue in the fight to secure enterprises is that CIOs are unprecedentedly challenged and effective security requires more than a set of disparate tactics. It’s not that IT leadership hasn’t kept pace; it’s simply that enterprise technology is substantially more complex, more mobile and more outsourced than it was five years ago. Meanwhile, recent research indicates that the average organizational cost of a single data breach has increased to $7.2 million, costing companies an average of $214 per compromised record (Source: The Ponemon Institute and Symantec, 2010 Annual Study: U.S. Cost of a Data Breach).
This should be a warning bell for chief executives everywhere. It’s up to CEOs to set the agenda and priority for how IT security will be addressed across the business. The financial implications of not doing so are only the tip of the iceberg. While a breach in IT security may result immediately in large financial losses, that’s just the beginning. A loss in credibility can also impact business performance and client trust. It’s imperative that today’s CEOs have a clear understanding of their most dangerous security threats and be actively involved in developing and executing a strategy to mitigate these threats.
At-a-Glance: The Impact of IT Security Breaches
- During 2010, researchers tracked 662 data breaches at large companies and government agencies
- Approximately 16.2 million records were exposed
- Cyber-attacks cost the U.S. economy an estimated U.S. $8 billion a year
- Nearly nine million U.S. residents are victims of identity theft each year
(Source: U.S. Representative James Langevin, 2011 Cybersecurity Forum, University of Rhode Island)
The Main Concern: Human Error
With the amount of money being poured into IT security, chief executives may think (or, at least, would like to think) that the latest doom-and-gloom Trojan or botnet is the biggest threat facing the protection of critical data. Surprisingly, that’s not the case. Human error is the largest threat to IT security. Most breaches in critical corporate data are not the result of malicious intent. They are the result of mistakes made in the way security is managed and configured across the business – especially at the network level.
Even the most sophisticated IT organizations are not exempt from this threat. In October 2010, Microsoft blamed human error after two computers on its network were hacked and then misused by spammers to promote more than 1000 questionable online pharmaceutical websites. In April 2011, the State of Texas discovered that the personal and confidential data of 3.5 million teachers, state workers, retirees and recipients of unemployment checks had been left unprotected on the Internet nearly one year. According to Gartner, Inc., more than 99 percent of firewall breaches are caused by misconfigurations rather than firewall flaws. The State Department’s 2008 breach of the passport system was a result of under-configured access control and a defendant’s “idle curiosity” peaked by the simple discovery that he “could.”
So, why is security so rife with human error? The answer is that today’s enterprise networks are overwhelmingly complex. Updating a company against a single Trojan or virus may require the manual configuration of dozens (if not hundreds) of separate firewalls and other network devices. Furthermore, it has become increasingly difficult to enforce IT security procedures throughout the enterprise and the volume of logging and event data generated by disparate systems and equipment spread across the enterprise can be daunting.
This complexity has led to an overworked, overburdened IT workforce. Frost & Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study (GISWS) reports that the proliferation of new threats has led to “information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.”
To improve IT security effectiveness, it’s critical that chief executives guide IT to find ways to reduce network complexity and minimize the risk of human error across the security process. These answers should point to ways that will de-burden security administrators.
3 Questions You Should Be Asking:
- How can we make network security management less complex?
- How can we minimize the risk of human error across the IT security process?
- How can we better protect users from “idle curiosity”?
The Invisible Concern: Cloud Security
Cloud computing shouldn’t be a new term for any executive interested in cutting IT costs, including CEOs. While volumes could be written on cloud computing and virtualization, the simplest explanation is that cloud computing allows companies to outsource IT infrastructure (from storage to applications) to a virtual environment that can either be shared with other organizations (the public cloud) or not shared (the private cloud). As a chief executive who challenges leaders to reduce technology costs and redundancies, cloud computing represents an effective strategy for doing both.
In January 2011’s “Results of a Survey Conducted for Electric Cloud,” Osterman Research shed light on the rise of cloud computing in the enterprise. Cloud computing – especially the public cloud – has reached critical mass in Corporate America as many companies elect to reduce, simplify and streamline the costs and resources required to run IT. According to Osterman’s report, 55 percent of companies using public cloud computing first adopted cloud computing in 2010. While a higher number of companies elect to use a private cloud, a growing number are turning to the public cloud to maximize the cost benefits of a shared virtualized environment. Osterman reports that 20 percent of the survey’s respondents are currently using a public cloud, with another 34 percent that intend to implement a public cloud in the near future.
So, with abundant cost savings to be had, what’s the problem? You guessed it: security. Gartner Research reports that security is still the top concern for companies looking to migrate to the cloud, with a “lack of confidence in the cloud provider’s security capabilities” being the top reason.
And, worried they should be since the simple fact of the matter is that cloud service providers also face the same security challenges of the average enterprises (e.g. visibility, monitoring, access control, complexity, etc.). In April 2011, Amazon’s web server division, which houses information and applications for thousands of companies worldwide, suffered a disastrous server failure. The breach of service took down the online presence of hundreds of thousands of websites including high-profile clients such as FourSquare and Reddit. We may never know if this outage was the malicious intent of hackers or a technical glitch, but the fact is that when availability is breached, the security of your corporate assets and data are on the line.
Human error – another threat to cloud security – is even possible from the technically savvy. This was demonstrated by the recent “programming error” in popular cloud storage provider Dropbox’s customer account passwords. This error allowed users to access any other customer’s account.
Before chief executives and CIOs migrate or expand service dependency to cloud computing, several issues should be explored. How do you know that another company isn’t incorrectly accessing critical data? What happens to your business if you’re not able to access a certain application in the cloud? How will you be able to assure your customers that their data is protected?
3 Questions You Should Be Asking:
- How do you know that another company isn’t incorrectly accessing critical data?
- What happens to your business if you’re not able to access a certain application in the cloud?
- How will you be able to assure your customers that their data is protected?
The Shared Concern: Mobile Security
The explosion in mobile device usage may very well be the technological phenomenon that defines the past two decades. Telecom research giant Comscore reports that the number of U.S. smartphone users at the end of 2010 was 60 percent higher than in 2009. As such, the number of mobile devices – both company-owned and personal – accessing corporate data in the enterprise has greatly increased. Mobile device security is further complicated by the dual use nature of many “smart” devices, which effectively builds bridges between the private/corporate enterprise and cloud and social media services.
The problem here is that mobile device security is still in its infancy – both technologically and strategically. Viruses, botnets and other security threats can easily enter the network through mobile devices, yet few companies pay as much attention to securing their mobile devices as they do to securing their desktops and laptops. The rising use of mobile devices in the enterprises has attracted more attention from hackers. McAfee reports the number of cell phone-specific malware increased by 46 percent in 2010 compared to 2009.
This issue is compounded by the fact that the device itself is a liability if left in the wrong hands. According to American Medical News, one-third of health professionals store patient data on laptops, smartphones and USB memory sticks, yet only 39 percent of healthcare organizations encrypt that data. In June 2010, a security breach in a Web service used by Apple’s new iPad 3G exposed personal information of thousands of AT&T customers, including White House Chief of Staff Rahm Emanuel and New York City Mayor Michael R. Bloomberg.
CEOs and other chief executives must drive the prioritization and development of a company-wide mobile security policy that addresses how corporate data can be accessed and stored on mobile devices. This policy should specify guidelines for device usage and liability and cover both personal and company-owned devices.
How do you manage the dual-use nature of smart mobile devices securely? What happens if a product engineer’s iPad is stolen or left behind in a cab or coffee bar? Or how is the network being protected against incoming threats from smartphone emails or malware-as-application?
Chief executives have a responsibility to their employees, customers and shareholders to preserve enterprise integrity, credibility and security. IT security plays a major role in how executives are able to deliver on this responsibility. Actively engaging in the development of a strategy that protects against the aforementioned threats will demonstrate the company’s commitment to security from the top down.
3 Questions You Should Be Asking:
- How are personal mobile devices being used and secured in the company?
- What happens if a device is lost or stolen?
- What measures are in place to protect the company network against incoming threats from mobile devices?