More than 20 years later, in the wake of hundreds of similar and often more damaging viruses, organizations have proceeded to spend hundreds of billions on computer security. And, regrettably, the risks seem to grow at a faster rate than any degree of paid protection can allow.
In the early days, the intention of the Internet and the goal of its designers was merely to spread information rapidly and reliably. What started as a group of only a couple of dozen researchers contributing to the network has exploded to roughly 3 billion regular users. In many instances, the Internet drives a significant portion of our lives today, from both a business and a personal standpoint.
As anyone reading this probably knows, the Internet functions significantly differently from traditional telephone systems passing chunks of binary code, called “packets,” across a vast and dynamic system. When the Web was first being built, the focus was to ensure the packets were getting to their desired location, and the consequence was the development of an increasingly complex group of networks. However, what has resulted is a system today in which there is no U.S. or other government agency that has oversight or control over the World Wide Web the way nations have over their telephone systems. It was a problem that pretty much no one saw coming.
Hindsight is 20/20
In hindsight, the U.S government was taken off-guard. The early military-based system, Advanced Research Projects Agency Network (ARPANET), was developed against the backdrop of the Cold War, and its expansion into what would become the modern-day Internet did not adequately take into consideration issues of security. There was discussion in the early days of the creation of encryption technologies to protect against such concerns, but the National Security Agency (NSA) had reservations about allowing encryption to be available on public or commercial networks.
So, the network grew openly, in a spirit of sharing and collaborative innovation, meaning pretty much anyone could join. Which is really cool, unless you’re focused on security. What wasn’t anticipated was that the Web’s combination of speed, reach, and efficiency was ultimately a catalyst for what we now recognize as vast security concerns and the potential for black-hat style digital espionage.
It’s safe to say that CEOs, CIOs and IT directors alike are well aware of the significance of cybersecurity threats. One recent high-profile breach resulted in a trifecta of calamity for the company affected: A lawsuit was launched, a $10 million settlement was awarded, and the CEO was unceremoniously booted from his position. An eye opener, to say the least, and without question something that keeps IT pros and senior management alike up at night.
As we discuss often these days, technology has resulted in dramatic changes in the business landscape. New technology leads to new trends, such as BYOD and cloud-based computing, that ultimately lead to potentially bigger and bigger security related challenges for CIOs and their teams. As security concerns deepen, so does our increasing reliance on the cloud, meaning more and more data that can be used by increasingly competent hackers is ripe for the picking. What follows are some of the common issues that enterprise IT professionals must be aware of in order to minimize unnecessary risks.
One of the most common and already widely recognized challenges is Shadow IT, where employees use a form of software or hardware that has not been endorsed by the IT department. Whether for personal or professional use, these platforms have not been scrutinized the way in-house, pre-approved tools, and software have. As a result, this puts the entire organization at risk — as malware or other viruses can attack one computer on the network and effectively spread to the others. Not to mention that many of these apps are cloud-based and run by third-party providers, meaning your highly sensitive data could be at risk of a breach.
This is a cross-departmental issue in which divisions (such as marketing) might install their own software in order to better facilitate their activities, without consulting IT. The phenomenon is common, and roughly 75 percent of all organizations report to having to deal with it.
Shadow IT, despite its rather nefarious name, isn’t necessarily all bad. Many of these programs facilitate increased efficiency and employment satisfaction, with employees reporting that the main reasons for using outsourced applications is the ability to do their jobs better and quicker. That said, at an enterprise level, silos must begin to fall between departments and trust needs to be built between teams in order to open lines of communication and develop policies around shadow IT and the use of external platforms.
IT teams will need to do a better job of communicating internally that they are there to facilitate better, faster, more productive work, and marketing, sales, and other departments need to learn to trust and rely on their IT counterparts rather than finding and implementing their own solutions. Today, the safety of the company, its data, and its customer data is quite likely at stake.
Going hand-in-hand with shadow IT is bring your own device (BYOD).The rise of mobile devices has meant employees at every level now bring their own smartphones and tablets to work for both professional and personal use. This can be great for productivity, as teams can work with tools they are both familiar and comfortable with. However, it also presents an obvious challenge, as it is almost impossible for IT to control user devices. This means that dozens of personal programs or applications can leave the network susceptible to breaches.
Controlling the devices themselves is unrealistic from an IT perspective, though there is one solution that CIOs and their teams should implement: controlling data access so that users are only able to view what the organization allows them. This means that with the right systems in place, employees can quickly and easily access the data they need, remotely, but they won’t need to or be able to store anything on the device itself.
This, therefore, brings us to another fundamental challenge facing IT departments: striking the right balance between flexibility and control with regard to data privacy. Ironically, the previous two potential threats—BYOD and shadow IT—originate from inside users. What remains is the question of how much flexibility users are allowed and how much control IT decides to exercise. It is also important on the behalf of senior management to recognize what is sensitive information and what, is not in order to minimize the potential for any information landing in the wrong hands.
The cloud is not only the future of technology, it’s the new normal. Cloud technology provides smoother communication and collaboration between internal IT staff and other departments, and generally leads to an increased efficiency in operations. However, security remains a key concern and slows the adoption of cloud, especially for those enterprises that deal with highly sensitive data and that have very high level clearance requirements. Cloud isn’t an across-the-board solution for every business, but with the right systems in place and the right security measures, cloud adoption at some level within every organization is pretty much inevitable. It only makes sense.
Cybersecurity technology will continue to advance with technologies such as biometrics and authentication, though the degree to which these neutralize threats is yet to be seen. And, of course, there is no one tried and true way to fend off hackers and cyberthreats. Lillian Ablon, a RAND Corp. researcher and co-author of a study on cybersecurity, summarized it best when she said: “Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker. Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources, and research.”
When it comes to out-thinking a potential attacker, this is also where regular internal communication and training, as well as the staging of mock attacks and drills can keep your team on their toes and their skills finely tuned.
With Age Comes Wisdom
Prior to the worm of 1988, David Clark, a Massachusetts Institute of Technology (MIT) scientist who had a heavy hand in the early days of the development of the Internet, wrote a popular paper in which he expressed seven priorities he believed were important for the designers of the Internet.
Think about this: Nowhere in the paper did the word security even appear. It sounds ludicrous, doesn’t it? But such was the innocence, if you will, even the slightly “free love” thinking that was the backbone of the creation of the Web back then. It truly was “created for good,” and we can’t fault its masterminds for having such a gentile view of the gift they were giving the world.
Though he may have been late to the party, in 2008 Clark rewrote a list of priorities for the National Science Foundation, the first item listed was, unsurprisingly, security.
If you’re focused on security within your organization, the Dell Insight Team collaborated to produce an e-book on cybersecurity that might be of interest. It touches on the chief information security officer’s (CISO) role in cybersecurity, the different kinds of security attacks and some suggested countermeasures, mobile device security, cloud security guidelines provided by the U.S. Department of Defense, and the emerging science of digital forensics. Here’s the link to download the e-book.
Additional Resources on this Topic:
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.