“Most people are not going to look really closely to know where that email came from, and they click on it and their machine may be taken over by somebody, or infected,” says Ronald Nutter, online security expert and author of The Hackers Are Coming, How to Safely Surf the Internet. “Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.
How often to adopt infosec policy changes is a conundrum. Companies need to come up with a way to remain flexible, to ensure that their policies and procedures reflect the current threat landscape, yet they can't hand down so many new rules and restrictions that they frustrate users and inadvertently compel them to consider bypassing corporate rules, explains Kelley Mak, an analyst at Forrester Research. At the same time, companies have to strike a balance between using firefighting tactics to address the most current threats and treating information security policy as a holistic strategy, Mak says. "It's not as simple as taking the data and making a new policy, because you have to make sure information workers aren't upset," he says. "The more restrictions you put in place, the more likely someone is to go around it."
Like the legitimate software market, cybercrime is now a huge economy in its own right, with people with a range of skillsets working together towards one goal: making money with illicit hacking schemes, malware, ransomware, and more. It's essentially an extension of 'real world' crime into cyberspace, and it's come a long way in recent years as groups have become bigger, more specialized, and more professional. "There's been a substantial amount of improvement and innovation in the way attackers go after networks and, as cybercrime has professionalized, you've seen individuals develop a particular set of skills which fit into a broader network," says Gleicher, now head of cybersecurity strategy at Illumio.
Organizational agility, not to be confused with the Agile methodology, is the ability to quickly identify and execute initiatives for opportunities and risks that align with overall strategy. This means that organizations have not only to stay aware of changes in their business environments, but also to be flexible enough to change direction and implement new initiatives quickly, both in order to avoid risks and to achieve competitive advantages. APQC and Strategic and Competitive Intelligence Professionals (SCIP) conducted a survey to look at organizational agility and understand what role strategy has in helping organizations be more agile. To that end, the survey investigated organizations’ agility, strategic planning, information assessment, and implementation practices.
What’s different is that your user population needs to know what to do if a ransom message appears on their screen. Do they power off, disconnect from the network or do both? Your user community has to know exactly what to do. By the way, the right answer is to disconnect from the network and not power off—rely instead on whatever mechanism you have to trigger an incident response. Do not power off. So the users have to know that. Assuming that you have the basic hygiene—the incident response plans, the remediation, the patching, the hardening, the configurations—in place, then the only other additional consideration is that if you don’t have a fast, automatic way of detecting and responding to zero-day malware—either at the network level or at the end point level—you need to get one.
Basically we are inexperienced in creating large platforms with security in mind. This inexperience in deploying mass networks in a secure way could create a recipe for major breaches and security issues. The IoT is a relatively greenfield area in IT. It should offer the chance to design and architect solutions with security integrated right from the start, rather than an additional feature further down the road. Whilst CIOs need to be mindful of this issue for future planning, there is also the opportunity to make sure vendors are building this security into any IT expenditure that the organisation plans to make. Existing security controls may well be able to address these new concerns but they need to be implemented in an agile and effective way to enable them to adapt to the new attack vectors.
Many companies today hope to avoid similar high-profile wakeup calls. After years of news about disastrous breaches, information security has finally gotten the attention of upper management. Two-thirds of 287 U.S. respondents to a survey conducted by CSO, CIO and Computerworld said that senior business executives at their organizations are focusing more attention on infosec than they were in the past. And most of the respondents said they expect that focus to continue. Yet IT leaders still face challenges when it comes to aligning security goals with the needs of business, including justifying costs, defining risks, and clarifying roles and responsibilities.
Like yesterday’s code libraries, you could try to build A.I. platforms yourself -- if you had a few years and a dozen data scientists to throw at the problem. Or you can access A.I. engines like IBM’s Watson or Google’s TensorFlow “as-a-service,” taking advantage of the planet’s most advanced, fundamental CS work via an API call. When one looks at the world of software in this way, the choice for most companies today is straightforward: spend years of effort and millions of dollars in expense duplicating extremely important -- but ultimately commodity, especially once it’s open-sourced -- computer science work, or instead focus on leveraging that work to develop and improve their own products and intellectual property. For most businesses, the choice is simple.
We can all pretty much agree that Windows has some staying power. That said, when I asked our resident Windows soothsayer Ed Bott about actual numbers of users, he told me, "Given that PC sales are flat or down in recent years and are probably close to the replacement rate, it's likely that the very large Windows installed base is shrinking slowly." The operative word here isn't "shrinking," it's "slowly." There are millions of users out there who have good reason to stick with Windows. Many of them will continue using it because the learning curve for a different operating system is either too much work, or just simply unnecessary. Others will stay with it because Chromebooks, tablets, and other "appliance-like" machines just don't have enough power and flexibility.
Working with IT, HR should establish processes to manage access rights to sensitive data – ensuring that appropriate controls are in place – and preventing employees from accessing data that they don’t need. HR can also support IT in identifying gaps in terms of departments or individuals, like contractors or temporary staff, with permissions that have not been withdrawn or privileges that may need to be re-defined. They can implement processes and technology for managing access rights and to ensure that these are regularly audited to close any security gaps. Full co-operation between HR and IT is essential in projects of strategic importance such as IAM (Identity Access Management) deployments. This is a common pitfall, but without internal co-operation there can be misunderstandings, or at worst, projects can unravel entirely.
Quote for the day:
"Negativity will derail you from pursuing success, and like attracts like." -- Kathleen Elkins