For many security is the ugly child of IT. When people start to consider security, it’s often as an afterthought or at worst a necessary evil.
Thankfully attitudes are changing. Recently a series of high profile cases have focused company’s attention on the need to protect their (and perhaps more importantly), their customer’s data.
In particular the recent highly publicised attack on Sony’s IT infrastructure demonstrates an insidious form of attack in an increasingly connected world: those that are deliberately and exclusively aimed at damaging organisations credibility by compromising its employees or customer’s privacy.
Many organisations have long since appreciated that the damage to a company’s reputation caused by security breaches is the single biggest threat to their credibility.
The Sony case and the recent leak of US diplomatic cables have both highlighted the fact that organisational embarrassment alone is now a powerful weapon when wielded by malign hands. In both cases the data was released into the public domain through the supposed anonymity of hacker groups.
The ‘Cablegate’ affair was not a sophisticated attack from an externally acting agent. The culprit was a rogue individual within the organisation who simply abused the access that he might legitimately have been said to have required for his role.
Could simple mitigating controls of reduced the impact of this security breach?
If the careful segregation of data on a need to know basis is the principle risk reduction method in an organisations armoury. Mitigating controls should be the second line of defence.
The US deliberately loosened rules regarding the segregation of data after 9/11, the objective was to improve information sharing and ultimately the effectiveness of security services analysis. While these were worthy aims, it could be suggested that the corresponding compensating controls were neglected. Controls could of provided oversight to the extraordinary amounts of data that was being downloaded by this individual.
The ‘Cablegate affair’ compromised people who had provided information to the US security services and to which a duty of care was owed. The reputation of the US government has suffered as a consequence.
Your reputation hinges on protecting your customers data.
Ultimately a vigorous approach to securing your organisation data is an important part of building confidence and trust with those who you work; secure organisations are professional organisations.