As enterprise go increasingly mobile and Bring Your Own Device (BYOD) becoming a way of corporate life, CISOs are facing a tough time maintaining a secure IT infrastructure. In conversation with Biztech2.com, John Kendall, Director, National Security Program, Unisys APAC reveals some critical challenges that stand in the CISO’s way and shares pointers on how to deal with them.
What are the challenges a CISO faces today amidst the growing complexity of cyber threats?
To begin with, there are the internal threats. The insider threat can be unintentional, e.g., such as a lost USB drive with corporate financial data, a lost or stolen mobile device with access to corporate systems or emails, or an employee fooled into disclosing data in response to the increasingly sophisticated socially engineered spear-phishing scams, etc. Regardless, the consequences for the organisation can be devastating and the CISO has to be prepared to tackle these threats.
Moving outside the organisation, there are threats that can result harm to a business’ bottom line, reputation or both. We conducted a poll in 12 countries and asked “What action you would take if you found out your personal information being held by an organisation had been accessed by an unauthorised person?”
In every country, the survey found that individuals were prepared to take strong action against the organisation responsible for the data breach. For example, in Australia 85 percent said that they would stop dealing with an organisation if their data was breached, 64 percent said they would publicly expose the issue, and 47 percent said they would take legal action. This shows that securing against data breaches is in fact a business issue, not just an IT issue.
With the advent of BYOD, how has the security landscape changed? What are the key concerns that CISOs face in this regard?
Mobility in the work environment does bring new risks as mobile devices are more vulnerable to getting lost or stolen and if unsecured, may open up access to corporate systems or have sensitive data saved on them. The three key areas of concern are:
• Securing the mobile device, residual data and any apps on it – passwords are not enough.
• Ensuring staff know and understand company security policies.
• BYO applications on devices used for work purposes.
Many believe that in coming years, government sponsored cyber attacks will increase. What can you suggest to various government agencies on how to deal with it?
The area to watch is cyber terrorism attacks on critical infrastructure such as power and water supply, telecommunications, transport and financial services.
Traditionally, we are used to dealing with unintentional outages of these services, such as those caused by a natural disaster. However, critical infrastructure may also be viewed as a ‘soft target’ by those who wish to inflict major disruptions.
Failure in one area of infrastructure can also create outages in others – in a domino effect. For example, a power failure may result in telecommunications outages or the closure of key toll roads or train lines.
Individual critical service providers and the government have a joint responsibility to work together to protect the greater issue of national security. Whether self-regulated or mandated, because of the wide reaching ‘ripple effect,’ we need to be sure that utilities, banks, and telecommunication providers are taking appropriate steps to protect their service delivery from cyber attack. Similarly, governments need to provide the support, guidance and incentives to ensure these organisations are able to protect their services from attack, as part of a national cyber security strategy.
A holistic view of security - threats, vulnerabilities, consequences, and countermeasures – is required. There are numerous stakeholders that play a role in securing our critical infrastructure – including government, commercial organisations, state and central police and more. To better protect our critical infrastructure, these stakeholders must develop a culture of information sharing beyond what exists today. Fundamentally, we need to start by creating a broader definition of national security than what we have today.
Experts say Indian enterprises are not that mature in terms of security infrastructure compared to their global counterparts. Can you suggest how to push up this level of maturity?
Virtually all organisations have incorporated some type of security solution to protect their data and physical and human resources. However, these have often been implemented as point solutions in response to a specific threat. This can result in ineffective investments that fail to address the actual security needs of the organisation.
Organisations should start by assessing their security vulnerabilities and then developing a comprehensive cyber security strategy that takes into account governance, risk and compliance, users, data, applications, infrastructure and assets.
Simply addressing a singular issue such as securing mobile devices or securing cloud computing environments is not enough. So, with a cyber security strategy that addresses all of these inter-related trends, business leaders can be confident of a consolidated defence approach.
What security measures do you see enterprises adopting in the near future?
Talking about data security, organisations face a greater risk due to mobility with multiple endpoints sitting outside the traditional network. Hence, there will be a focus on securing data rather than just control access to it. That way, even if someone unauthorised does access the network; they won’t be able to read the data.
Mobilily in the enterprise will also give birth to new sophisticated approaches to security. For example, attribute-based access control is an emerging technology that does not grant access based only on the nature of the data and the individual requesting access. It also factors in the location from which access is being requested and the method used to authenticate identity – for example, requiring a fingerprint rather than a password for access to more sensitive information.
Attribute-based access control also identifies deviations in the access request outside the employee’s normal pattern, such as attempts to access information they don’t normally access or at hours outside their normal work schedule. Such approaches help stop data breaches before they happen by automatically enforcing appropriate security measures.