If you feel overwhelmed by all the challenges involved in managing governance, risk and compliance (GRC) initiatives, you’ve got a lot of company. Many managers and executives are under pressure to create a comprehensive, enterprisewide strategy for dealing with security and regulatory issues.
As contributing writer Sam Greengard states in his cover story, Keeping a Lid on Risk, “Organizations are search-ing for ways to take a more strategic tack, consolidate initiatives, and do a better job of recognizing and categorizing risk. Unfortu-nately, the situation isn’t getting any simpler.”
These days, threats come from all directions: from untrained workers and angry ex-employees to clever cyber-criminals in various locations around the world. Add to that a growing number of regulatory and compliance requirements—and the risk of facing a government investigation—and technology and business managers face an intimidating situation.
Consider the challenge facing Gordon Bruce, CIO of the city and county of Honolulu (Riding the Tech Wave). After implementing 150 major IT systems and providing citizens with online access to new services, he and his team had to deal with some significant security issues—both internal and external.
“Security vigilance never ends,” Bruce wrote. “In fact, we are going through a complete physical and cyber-security assessment right now.”
That’s a smart move, as cyber-threats are ubiquitous in today’s world. “The technical innovation and capabilities of online criminals are remarkable,” according to Cisco’s 2009 Midyear Security Report. “Several million computer systems have been under Conficker’s control at some time as of June 2009, which means the worm appears to have created the largest botnet to date.”
In a recent conversation with Patrick Peterson, Cisco fellow and chief security researcher, I heard some discouraging news: “Cyber-criminals are becoming sophisticated in the ways of business and are acquiring our best practices. They are using Harvard Business School techniques.”
As an example, Peterson said that many cyber-criminals are acquiring “customers” (in reality, victims) by quickly taking advantage of major news events. He noted that after Michael Jackson’s death, scammers offered a “unique video” of Jackson that could be downloaded for free. But what hapless fans actually downloaded was a botnet.
Mobile phones represent an area that’s ripe for abuse, according to Peterson. In this scam, criminals send a text message to people who belong to a small bank or credit union. The message says there is a security issue with their account and gives a phone number to call. Individuals who call the number unwittingly hand over their personal information to thieves. “By targeting small banks and credit unions, the criminals fly under the radar,” he added.
Partnering is another best practice cyber-criminals have adopted. According to the Cisco report, “‘Bad guys’ are aggressively collaborating, selling each other their wares, and developing expertise in specific tactics and technologies.” In other words, they’re ganging up on us.
Some scammers have also adopted marketing moves. “They’ll infect your computer, then tell you it’s infected and offer an inexpensive product to clean up the problem,” Peterson explained. “Once purchased, the product will make the symptoms go away, but the malware will still be sitting there.”
Things are pretty grim on the home front, as well. “Layoffs, lack of jobs, and an erosion of trust between employees and employers have created a perfect security storm,” Peterson said. He added that many companies don’t immediately shut down access to all of a laid-off worker’s accounts, leaving an opening for a disgruntled ex-employee to do serious damage.
To counteract this internal threat, Peterson offers some straightforward advice: Educate and train all employees about security issues; give each employee access only to the accounts he or she needs to do the job; and immediately lock terminated employees out of every account. Unfortunately, Peterson thinks the economy and job situation will keep these internal threat levels high for the next six to nine months.
It’s pretty obvious that the overall security landscape isn’t going to get better any time soon. The enemy keeps getting smarter and more aggressive, so we have to fight back with all the weapons at our disposal.
This is a battle we can’t afford to lose.