Cyber Warfare is entering a new phase. Up until now, there has been a lot of hype and fear-mongering surrounding cyber warfare and internet security. For anyone even remotely involved in security, the negative news from virtually all media outlets is a daily occurrence. Sometimes to be effective you need to raise fear. But after a point, people tune out, start to feel taken advantage of when fears are not realized, and become desensitized to the point of doing nothing. Cyber war and the increased threat of identity theft is something to be aware of and precautions need to be taken, however, relying on fear as a motivator to increase security rarely leads to common sense strategic decisions and actions. This is not to suggest that there isn’t something to be afraid of, but maybe a little perspective is in order. The paradigm shift is in full swing with fear, uncertainty, and doubt giving way to “How do we fix it?”
We participate in online forums, subscribe to news sites, post personal photos, click on links sent via email, reply to emails and perform other tasks without really knowing who is on the other end. Similarly, in our daily lives we encounter and interact with people we meet walking down the street, the package/pizza delivery people for whom we open our front doors, the fellow passengers we share personal information with on planes, the wait staff who deliver our food, the phone solicitor or pollster we engage with, and the strangers we shake hands with at church. Do we really know the people we allow into our home, or with whom we are exchanging our personal and financial information, or who prepare and serve our food? No, we don’t. We certainly don’t know who’s on the other end of any of our communications on the internet, either. The cyber world is a mirror of the world we already live in, just in a different and broader context. It is broader, because a piece of malware, strategically positioned, can attack many locations at one time. Like traditional aspects of our world, we need to recognize and understand the dangers of the cyber world and practice common sense security, without losing the benefits and opportunities to interact and engage.
According to the NSA, about 3.2 billion people are connected and online at any one time. It’s reasonable to anticipate that not all entities we encounter online are good ones. In fact, to ignore or deny the possibility that bad entities are online is not only naive, but dangerous. The percentage of bad actors per capita is about equal between the cyber and non-cyber world. If you behave in a reckless manner online, or if you work in a high-profile industry (e.g. financial, military, research, etc.), you are at even greater risk. Again, the cyber world is a reflection of the world we live in every day.
People complain the internet is not secure. Yes, that is true. But the internet was never intended to be secure. Its initial purpose was to enable and facilitate global collaboration and knowledge-sharing. Computers themselves were never designed for security, either. And yes, most software is still built with “back doors” for many reasons, not the least of which is user support and password resets.
Until breaches like Target became commonplace, it was an uphill battle to get corporations to take information security seriously, let alone cyber security. Network and computer hacks have been going on for decades, by both people and governments. Ever heard of Operation Ivy Bells? It’s only been within the last few years, because of new requirements to report, that both individuals and businesses have become more serious about information security, particularly cyber security. Until there were documented costs and sanctions associated with a security/data breach, there was little, if any ROI for devoting time and money to information security. More than 30 years ago, hackers existed who were using relatively advanced methods. But companies rarely performed access monitoring, and when breaches were discovered, most organizations never reported them. The potential cost of a cyber breach was not appreciated or understood, particularly by the judicial system, making enforcement and prosecution of cyber-based crimes such as identity theft, IP theft and even online harassment difficult, if not impossible, to penalize.
Many companies entered into the world of information security and compliance because they were mandated through federal regulation, statutes, and other specific compliance requirements. Remember Visa’s CISP? Security was a facade layer added after software was built, systems were installed, or networks were designed. Building privacy, security and compliance into systems and processes is a fairly recent phenomenon.
As a result, many of the security breaches we see today are a result of missing basic, foundational security controls. We use common sense to lock our doors and windows, and we install security systems in our homes and offices to prevent or dissuade criminals from gaining access. Yet businesses do not apply the same common sense practices when it comes to cyber security. Many of the recent, publicized breaches began as a result of the missing basic, foundational cyber security controls. If the controls had been in place, some of those breaches could have been prevented, or the damage greatly reduced.
This is not to say that advanced attacks don’t exist. They do. But too often malicious hackers walk right through an unlocked door without the use of sophisticated means to gain access, and once they’re discovered, there’s no game plan to stop them and mitigate damage.
Let’s put common sense back into security and stop the fear-mongering. Our team will be releasing a series of articles discussing cyber security for the non-technical decision-maker. Our goal is to provide an understanding of cyber security, its basic concepts, and methods. We will give you information on how to stay secure, but most importantly, how not to let fear and marketing hype guide your decision-making.
Mary Frantz is the managing partner of EKP, LLC, a national security, technology and e-discovery services firm based out of Minneapolis. email@example.com