Five years ago, I wrote an article on the challenges of implementing Information Security in an enterprise. Sad to say, even in the post-911 era, not a whole lot has changed there. Sometime in the next couple weeks, I’ll write an updated document on what challenges I see today for an IT Security Professional. Don’t get me wrong — there’s a lot that has changed in terms of threats and tactics, and there are new concerns to address, but unfortunately, there is far too much of the people element that hasn’t changed in a noticable way.
A couple of weeks ago, a colleague brought the following article to my attention, on the Evolution of Corporate Security. It is a very intruiging read, and certainly mirrors things that I have observed over time. One thing it doesn’t address, however, is that most organizations believe that they are one or more levels higher than they really are, or that they don’t need to be at a higher level because their organization is not the type of organization that can afford to spend what they believe it will take to get to that level. And it happens across all sorts of industries, including some that probably *should* try to spend some money (but, more importantly, some time and effort) to get to the next level.
It is true that not every company needs to be managed like Fort Knox — certainly not on day one. But there is a major misconception that only businesses that are directly about money are targeted for nefarious purposes. Just as identity thieves don’t simply go after the rich and famous, botnets are not only built to attack banks. For that matter, it is easier to recruit a batch of systems for botnets from institutions that are not in the Financial industry (or other envrionments generally perceived to be secure) because of the fact that less resources are put towards detecting and mitigating these risks.
The problem is that your environment can be infiltrated for variety of reasons, including to provide computing power to attack more valuable organizations. This leaves you open to liability concerns where you must prove that an attack was not actually originated by you, and that you took adequate steps to prevent such an event from occuring. The damage to corporate reputation is too great a risk to simply assume that you don’t make a juicy target, especially since a bot has no idea how valuable your data is until after it has gotten a foothold in your environment.
The days of broad and open worm attacks is going by the wayside, if it hasn’t gone already. The blackhats, and those elements of organized crime that are behind them, have realized that they can get much better mileage on a vulnerability if they act on it stealthily and over time, rather than writing sloppy code that “noisily” takes down a bunch of systems on the Internet over the course of a few days with a whole lot of mainstream press…
Security is not an impediment to doing business — it is the cost of mitigating the other risks of doing business.