The Business of Security: Avoiding Risks

The Business of Security: Avoiding Risks

The Business of Security

Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up to $575 billion each year. What’s concerning for CIOs is that risk assessment is placed solely on the IT department, even if the breach stems from BYOD and other personal systems.

Encryption Isn’t Enough

security

The traditional school of thought – especially with SMBs – is to encrypt data and use SSL or TLS on public systems. While this protects from eavesdroppers, it doesn’t protect from creative cyber threats that often phish for legitimate credentials from employees or contractors.

The latest big-time hacks circumvented encryption defense. The recent OPM hack that gave cyber criminals access to data covering millions of government employees and contractors wouldn’t have helped. Encryption protects data from being seen by unauthorized users and eavesdroppers, but OPM hackers had valid security credentials. They mimicked real login attempts, which circumvent basic encryption.

Even following common standards isn’t enough as Target discovered in 2013. Target lost 40 million credit card numbers to hackers who penetrated their point-of-sale (PoS) systems. You might think that Target oversaw some security standard, but the company was PCI compliant. PCI compliance is the de facto in credit card processing security, and Target’s security followed all the requirements. Regardless of its security implementation, hackers were still able to find a hole in the system.

Both OPM and Target have two things in common – the security hole was created by their own employees and vendors who gave up security credentials to phishing malware.

Assessing Risks Across Internal Systems

CIOs are tasked with providing employees with more mobility and freedom across the network while still creating a secure environment that’s hacker-proof. It’s not an easy task when you’re limited to what you can lock down.

Bring-your-own-device (BYOD) policies are a good start. Mobility is one of the fastest trending benefits for employees. BYOD lets them use personal laptops, smartphones and tablets for business. It’s become a part of corporate culture, and it offers more flexibility for employees to work at the office or at home. Before CIOs can implement a policy, they need to know the risks.

Mobility offers flexibility for employees and hackers. Mobile devices are even more vulnerable to viruses than desktops since most people have antivirus software on a desktop but not a mobile device. This leaves mobile devices wide open as a vector for trojan or virus injection onto the network.

Mobility isn’t the only risk. Telecommuting also gives employees the ability to work from home and saves in office resource costs. VPN connections allow employees to connect to the corporate network from any personal device. Just like BYOD security risks, these desktops could house malware that then transfers to the internal network.

VPN and BYOD are two hot topics in corporate security, but there are numerous others. Before CIOs can assure protection from cyber threats, they first must document each mode of network connection and assess risks associated with them. Even if the internal machine is completely anonymous to outside traffic using a firewall, it can still house vulnerabilities. It’s a team effort to assess risk, but it’s also a prudent part of IT asset management.

Creating Security Policies

risk-management

With both VPN and mobility risks assessed, CIOs can craft security policies that focus on flexibility for teleworking while still protecting internal resources. MDM tools track the number of mobile devices. IDS software identifies rogue, suspicious network traffic. IPS software tests servers and software for any common security flaws. Find the right tools on the market that make risk management more efficient.

CIOs and security experts are still new to mobility, so the commonality between most businesses is piecing together a policy that works for the business. It’s tempting to lock down systems and remove mobility altogether, but this type of policy isn’t feasible in today’s mobile market.

Quarantining mobile hotspots from critical systems is one way to manage risk. Users can share and store data on a segmented part of the network away from sensitive data, servers, and workstations.

Your policy should implement granular authentication and authorization that matches users with data they need to know. Classify information, so then security roles can be assigned to authorized employees. While this won’t guarantee protection, it will limit the amount of damage in case of a breach.

Training Staff

One of the most important parts of risk assessment and IT security is training staff. Protecting data should be a unified effort between all employees, vendors, contractors, and outside visitors.

Training is an ongoing effort from IT security staff that should integrate well into the on-boarding staff process. It’s not a process that’s limited to just employees. All executives, managers and employees should understand the risks and work to protect data from cyber threats.

In conclusion, reining in assets and risks and then applying the right security management is a huge effort for any CIO. Whether the business is small and growing or large and revenue-generating, a security policy should be a line of business that strategically defends against cyber threats and hackers.

By Jennifer Marsh

This post is brought to you by The CIO Agenda.

KPMG LLP is a Delaware limited liability partnership and is the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG LLP.

About Jennifer Marsh

Jennifer is a software developer and technical writer. She's written technical content for IBM, Rackspace, Adobe, and Udemy and continues to write articles that help people understand the life of a coder.

View All Articles

Sorry, comments are closed for this post.

Comics
Cloud-Based or On-Premise ERP Deployment? Find Out

Cloud-Based or On-Premise ERP Deployment? Find Out

ERP Deployment You know how ERP deployment can improve processes within your supply chain, and the things to keep in mind when implementing an ERP system. But do you know if cloud-based or on-premise ERP deployment is better for your company or industry? While cloud computing is becoming more and more popular, it is worth…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…

2017 Brings DLP Technology and IoT’s Weaknesses to Light

2017 Brings DLP Technology and IoT’s Weaknesses to Light

DLP Technology In regards to data loss prevention (DLP), in the last five years many companies rushed to implement DLP solutions without taking the time to first identify the data that should not transit egress points. Most of these rushed implementations have not been successful. Security analysts, in particular 451 Research, have been recommending that…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Once upon a time, only a select few companies like Google and Salesforce possessed the knowledge and expertise to operate efficient cloud infrastructure and applications. Organizations patronizing those companies benefitted with apps that offered new benefits in flexibility, scalability and cost effectiveness. These days, the sharp division between cloud and on-premises infrastructure…

Using Private Cloud Architecture For Multi-Tier Applications

Using Private Cloud Architecture For Multi-Tier Applications

Cloud Architecture These days, Multi-Tier Applications are the norm. From SharePoint’s front-end/back-end configuration, to LAMP-based websites using multiple servers to handle different functions, a multitude of apps require public and private-facing components to work in tandem. Placing these apps in entirely public-facing platforms and networks simplifies the process, but at the cost of security vulnerabilities. Locating everything…

The Future Of Cloud Storage And Sharing…

The Future Of Cloud Storage And Sharing…

Box.net, Amazon Cloud Drive The online (or cloud) storage business has always been a really interesting industry. When we started Box in 2005, it was a somewhat untouchable category of technology, perceived to be a commodity service with low margins and little consumer willingness to pay. All three of these factors remain today, but with…

Through the Looking Glass: 2017 Tech and Security Industry Predictions

Through the Looking Glass: 2017 Tech and Security Industry Predictions

2017 Tech and Security Industry Predictions As we close out 2016, which didn’t start off very well for tech IPOs, momentum and performance has increased in the second half, and I believe that will continue well into 2017. M&A activity will also increase as many of the incumbents will realize that they need to inject…

Having Your Cybersecurity And Eating It Too

Having Your Cybersecurity And Eating It Too

The Catch 22 The very same year Marc Andreessen famously said that software was eating the world, the Chief Information Officer of the United States was announcing a major Cloud First goal. That was 2011. Five years later, as both the private and public sectors continue to adopt cloud-based software services, we’re interested in this…