Just like nearly every other enterprise, online security has been on our agenda for years. But in 2014 security really moved to the top of the agenda, with good reason. The security landscape is becoming unrecognizable compared to only a few years ago. Consider that there were 150 million malware variants circulating at the end of 2013 – and approximately 300 million at the end of 2014. That equals 200,000 new variants hitting the environment, hitting the world, every day.
As the number of variants has exploded, the type of person creating them has changed as well. The real threats are not coming from high school whiz kid hackers trying to be a nuisance from their parents’ basement. Think more along the lines of a sophisticated organized crime ring that might be internationally based — and even government-sponsored — that is targeted at making money. From a CIO perspective, my level of knowledge of awareness and focus on this space has moved to top of mind. And just as the environment is now different, our approach has changed as well.
Historically, IT has built perimeter defense, client/server defense, used antivirus tools, set up firewalls, and so on. The bad guys are at least a step ahead of these approaches. This reality moves IT away from being able to fully control and guard our information security. And it means we have to follow a few new rules that I suggest you consider as well.
- Do whatever it takes to get threat information sooner. I’ve seen many instances this year when zero-day attacks were ahead of the antivirus companies, ahead of some of the firewall rules, and ahead of email encryption technologies. I’ve even seen stories on CNN or The Wall Street Journal about exploits before press releases come out from the security companies and software vendors. This calls for a fresh approach to staying on top of exploits — reading blogs, ZDNet, and Reddit — and demanding that you get information sooner.
- Make employees a steward of information and data security. Each employee is an entry point that introduces risk, so they need to be educated and training to defend and guard your vital data and your network security. One technique we’re exploring is gamification. As you already may know, retention of learning via gamification is significantly higher than via traditional learning.
- Take a fresh look at every vendor tool and partner. It’s up to you to ensure you have the highest or most appropriate level of coverage to protect the data in your network. Doing so may require working with a vendor who has infiltrated Darknets, niches of the Web that aren’t discoverable by major search engines and harbor anonymous hackers who only go by aliases. Having a link to a vendor like this gets you a line on information about potential pending attacks before they become risks.
Whatever your specific strategies are, the first thing you need to do – very quickly – is accept the fact that the security landscape has changed and you need help. Don’t sit there thinking that the world hasn’t changed and the traditional methods are going to work in the future. Get past that quickly. And then start making the right moves to bring the rest of your team along with you.
ALSO READ
Curt Carver, vice chancellor and chief information officer, Board of Regents of the University System of Georgia, writes that, "Good old-fashioned leadership can help reduce IT security incidents."
Paul Brady is Vice President of Information Technology and CIO at Arbella Insurance. His responsibilities span infrastructure, application development and IT core services.