As an IT security professional with many years in the business, I can’t remember a time when IT security has been as crucial to the success and survival of businesses. No matter how good a business thinks its IT security is, the bad guys have figured out how to pick the locks. According to Bob Martin from CISCO Systems, “With breaches at more than 13 retailers and a number of unknown breaches that were never reported, 2014 was one of the biggest years for retail data theft. With large amounts of financial, personal, and even medical information on their networks, the retail industry will continue to be an attractive target to attackers for years to come.” As the recent Equifax breach has shown, this trend is definitely continuing.
Lapses in IT security can have devastating consequences. In the past year alone, ransomware attacks like Petya and WannaCry severely affected government agencies, and corporations all over the world. In the case of WannaCry, when researchers found a kill switch in the code, they were able to stop the malware before it could do truly catastrophic damage. In short, countless businesses around the world, many of whom were completely unprepared to deal with such an attack, and don’t even realize it today, got lucky.
Knowing what to do, for businesses both large and small, is complicated. It’s not as simple as just going out and installing the most state of the art impenetrable IT security that money can buy. The CIA model, which stands for confidentiality, integrity, and availability, is helpful for understanding why this is the case. It’s about openness. A system that is perfectly confidential, using, for example, air gapped servers with no network connection, is by definition not available. While a bank can lock key physical assets in a vault, most businesses can’t do the same with their data. They rely on access to their data to operate, for interacting with customers.
The way that companies work, and the people who work in companies, is changing. Whether it is employees or customers, people expect to be able to take their own devices with them wherever they go, and are clear that work-life flexibility is a priority. Businesses that don’t understand this, or cater to this, will have trouble surviving in today’s market. That is why developing an IT security solution is a challenge. There is no single one-size-fits-all answer, and the solutions required will depend on the unique circumstances of each business. What’s more, those solutions will need to change over time, to take into account changes in technology, and exposure to new vulnerabilities.
My goal in writing this series on IT security is to start a conversation. While most businesses today understand the importance of making IT security a top priority, there are key challenges that make it difficult to implement solutions. There is the technical challenge, and then there is the relationship challenge. In my upcoming posts, I will delve into these challenges, and how businesses can overcome them.