Cyber Security and the Obligations of Companies
The cyber security landscape has changed in the past couple of years – and not for the better.
At a meeting of the Center's Business and Organizational Ethics Partnership, Ken Baylor, an expert on IT security and regulatory compliance, addressed recent security developments in a talk titled, "All Is Not What It Seems: The Reality of Cyber Security in 2013."
Baylor said there has been a recent increase in so-called targeted persistent attacks. "They're in your network, they're slow, they're moving around patiently, carefully," Baylor said. "They're in there for months or years. They do it really slowly."
Baylor outlined the breadth of these attacks, which have sought military and trade secrets, as well as targeting banks. Although banks themselves tend to be quite secure, with "auditors crawling everywhere," banks' customers are less so. Consumers whose money is stolen will generally get it back, but this is not the case for business customers.
In business, the need for quick, easy access to corporate data can clash with the need for security. Many companies believe that the role of IT is to make their engineers and other employees productive, with security a desirable but secondary goal. The California solar industry is one example of an industry that has been hurt by having trade secrets stolen on a massive basis.
Baylor discussed different groups that are behind the attacks. Some attacks are perpetrated by "Hactivists" such as Anonymous and LulzSec. Groups based in Eastern Europe are known for producing advanced bank malware. The ubiquitous scam emails from Nigerians asking for money to be wired to them do, in fact, often come from scammers in Nigeria and Nigerian nationals living outside the country.
Many countries participate in cyber espionage as well. The Chinese seek both military and commercial secrets, and groups based there are thought to have attacked Google, the European Commission, the New York Times, U.S. military contractors, and others.
What can companies do to improve their security? They face two challenges today, Baylor said: The bad guys are really talented and experienced, and corporate policies such as BYOD, or bring your own device, create more entry points to sensitive data and systems. This allows for the proliferation of devices on the corporate network that the IT department has neither provided nor approved as having appropriate security controls and features—software and hardware.
The advent of cloud computing offers the opportunity for even more security breaches. The cloud is "absolutely, totally, utterly not secure – nor is it supposed to be, by design," Baylor said. Uptime, resilience, and response times are the key issues for cloud computing, and IT services, not security services, are the focus.
Since it is getting increasingly difficult to control what devices are on the network, Baylor suggested instead controlling access to the data. Companies can classify documents and applications based on the harm that could be done if they fell into the wrong hands.
"What's the really, really dangerous stuff that if got out would harm my customers, my suppliers, or my company?" Baylor said companies should ask.
The most sensitive documents should have extraordinary security – which also means access restrictions. This could mean using technology that makes it impossible to open a document without authorization. Less restrictive security can be used for documents whose disclosure would be less catastrophic.
Putting highly sensitive data in the cloud is risky, Baylor said. And although antivirus software is a good first step, it will protect only against older types of malware.
For companies that handle sensitive customer and client information, it's also important to consider both legal and ethical implications of security breaches – and to know how to handle them if they do occur. This requires a "well-rehearsed incident response plan" that includes not just technical plans but also directions for the legal and management teams.
Baylor, who has worked for companies including Symantec and McAfee, has a doctorate from the National University of Ireland, a law degree from the University of Wolverhampton, England, and an MBA from the University of Texas. He also holds technical certifications including Certified Information Systems Security Professional.
Margaret Steen is a freelance author.