Managing one’s state of digital security (or more accurately, insecurity) today is really built on three pillars.
1. Responsive posture
There is no doubt that hackers are attacking my network of 30 colleges every day. We catch some of those attacks; others, we don’t. The sheer volume of these exploits is driving a shift in the industry from detection to response. And that’s where winners in online security are being separated from losers right now. The question is not how quickly can we sense an attack, it’s how difficult can we make it for the attackers so that they move on to somebody else, and how rapidly we can respond when something does happen.
To give you some idea, here’s how quickly you need to respond in today's environment:
- Example 1. One of our employees succumbed to a spear-phishing attack that started a cascading effect of using that person’s credentials to attack other people. We were able to block it almost immediately and then completely shut it down within 20 minutes. I credit our organization’s response to a stance of moving swiftly and limiting damage.
- Example 2. In the old days – a few years back – it was possible to receive a software patch and evaluate it for up to 30 days before deploying. The last figures I’ve seen show that when a patch is released, you have between four to eight hours before a potential attack based on the fact that the patch is on the street and hackers can reverse-engineer the vulnerabilities that are contained within the patch. Companies exist today that are detecting these attacks as they occur in eastern countries and then trying to ensure sure that the defenses are in place before the sun rises in western ones.
2. Responsive management
All this said, even as attacks are becoming more sophisticated and more frequent, the basics of security remain.
- You need a robust endpoint protection system that’s looking not only at desktops and laptops, but at mobile devices as well.
- You need protection across the spectrum of virus, malware, mobile device management and patch management.
- You need top-notch network management that almost works like an automatic adapted system. Clearly, the days of being able to review security logs at the end of the week, or even the end of the day, are gone.
- You need disaster recovery and business continuity solutions. If you suffer a security disaster, have you figured out how you are going to do business continuity? This involves a substantial investment of resources, and typically involves the CEO of the company.
3. Responsive culture
Of course, the weak leak and the strong link in security is ultimately your people. Even if you define a formal risk management program where you characterize the real risks to your data and to your enterprise systems and you prioritize remediation of that risk to an appropriate level, unless the entire organization or corporation is on board with that, you’re going nowhere.
Think back to my patch management example. Let’s say you’re ready to implement new patches right away, but you’ve got some faculty member or manager who, for political reasons, is insistent that he or she retains the right to patch his system. Then you’ve got a real problem. Organizations need to do the appropriate checks, but do them very quickly, and then deploy the patch. So how will you get everyone on board?
Disasters large and small will come to you. Target and Sony and countless other examples prove it. That means your IT staff and all your employees need to think in terms of working as a team when it comes to security. Make no mistake: one of these exploits handled the wrong way can get you fired.
This time it’s personal
I’d love to say that security exploits and professional hackers don’t get under my skin, but they do. There is clearly emotion associated with all this, and that emotion has to be managed. After all, this is one of those areas where personal attachment and job security directly intersect. Not only that, if the exploit is of sufficient scale, it could affect you even after you leave your company and limit your long-term employability.
That’s why the best defense, in security at least, really is a good offense.
Curtis A. Carver Jr., Ph.D. is the Vice Chancellor and Chief Information Officer for the Board of Regents of University System of Georgia (USG). In this capacity, he oversees a statewide educational infrastructure and service organization with more than 190 innovators and more than $75 million annual investment in higher education. He also provides technical oversight of the USG Shared Services Center. Dr. Carver has led the transformation of IT services by partnering with USG business owners, institutions, and other state agencies to jointly solve problems.
