Imagine a monkey with a bunch of bananas. Now imagine a
monkey with a bunch of bananas trying to defend them from another monkey. I’m
sure he would put the bananas behind him and keep his eyes on the other monkey
trying to steal his bananas. Well now imagine a monkey with a bunch of bananas and
some other monkey friends helping him to try to defend the bananas from another
monkey. The first monkey has his eyes on the monkey trying to steal the
bananas, but who is watching the monkey friends? This is the problem with IT
network security.
I saw an article today written about a security survey
provided by Bit9. You can read the story here.
There were a lot of interesting numbers in the survey that stuck out to me.
Most interesting to me? Nearly 2/3rds of IT security professionals worldwide
think Anonymous or another hacktivist group will attack them in the next 6
months, but only 1/3rd of the same people feel an employee is a
likely threat.
It seems to me we are watching the wrong monkeys. Not that
we can ignore the “professional hacker”, of course we have to secure the
network. Firewalls, NAC, VPNs, all play a part, but later in the article it is
reported that only 11% of the security professionals worry about the common attack
methods used by hactivist groups. The biggest fear of attack by 62% of the IT security
professionals surveyed is targeted attacks. Targeted attacks are things like
malware and Phishing attacks.
So unless an IT department is installing Malware, it seems
to me that this is being loaded by the end user. So while watching the monkey
trying to steal our bananas, and trying to keep our company off the evening
news, we let the other monkeys steal our bananas, and put our company on the
evening news.
Ford Motor Company used to have a motto in the 80s, “Quality
is job one”. Today all companies should have the motto, “Security is job one”.
Security is everyone’s job, not just the security division of the IT
department. What do you secure? The PCs? The servers? Hardware? Software? I say
the data. We live in a world of always on, always connected, always working.
So however we access the data, wherever we access the data,
whoever accesses the data, we have to secure the data. Everyone has the secure
the data, from the CEO to the janitorial staff. More sensitive data is viewed inappropriately
because of passwords on sticky notes or non-shredded business documents than hactivist
attacks.
Watch the bananas Monkey, watch the bananas…
I preach securing Data at my Boeing job. It's about the damn data!
ReplyDelete