Drawing from a recent read of “Case 1: The Seeds of Dysptopia” in the World Economic Forum 2012 Global Risks 2012 Seventh Edition, it’s now more than apparent than ever that the impact of crime and terrorism in the digital world is fast mirroring that of a physical world. We’re living in an era where attempts to build a more secure world may have unintentionally gone astray as evidenced in Ellen Messmer’s Worst Security Snafus of 2012 where such consequences were clearly not imagined or intended by security vendors and businesses alike. We’re indeed dealing with the opposite of Utopia.
Our digital reality can be very fragile when one considers that how heavily we rely on mobile devices and cloud applications not only to conduct business but also in our personal lives. And the data that is transmitted via these devices and to various cloud applications is increasingly a target for scammers, thieves and hactivists.
And, it’s not only government entities, critical infrastructure and key verticals that are the targets of such attacks; in today’s climate every organization is a prime target. Take the very recent case of an Australian healthcare organization that is being held to ransom by hackers to the tune of AU$4,000 who recently hacked into their database and encrypted the data – it seems an extraordinary scenario for a small organization to be facing. Not only has their data been compromised but it has been rendered inaccessible as the organization now has to find a way to decrypt that data, which is proving to be rather challenging.
So what should organizations do to shore up their defenses? Start by treating data as the key asset to be protected versus fortifying your infrastructure. In today’s world data takes on increased significance -- bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has data they need to ensure tight control off and aligning security controls to the CIA (Confidentiality, Integrity and Availability ) triad can help ensure the right measures are taken.
When we talk about confidentiality of information, it’s about about protecting information from disclosure to unauthorized parties. In addition to measures like encryption, look to beef up access controls by feeding security decisions and intelligence across various enforcement points in the network rather than only at a single choke point in the data stream. Integrity of information refers to protecting information from being modified by unauthorized parties. Leverage global correlation and threat intelligence with reputation-based feeds to protect against new threat vectors and emerging malware. Availability of information means ensuring that authorized parties are able to access the information when needed. Think of the network as a data enforcement layer and link that to a strategy that identifies users based on contextual attributes (where, when, how and business need to know) when accessing critical of confidential information assets. So, what I have outlined is a starting point towards moving one step at a time towards a Utopian Digital Future. What are your strategies? We’d love to hear from you.