Over the past few years, cybersecurity has become a huge concern for companies of all sizes, many of which have been victims of cyber crime.
It is widely thought that there are two types of companies, those that know they have been compromised, and those that have been compromised and aren’t aware. The security industry has responded by putting a greater emphasis on the need for more security professionals, in order to assemble a better arsenal to fight cybercriminals.
The increased focus by security professionals has also enlightened many IT professionals who may not have been as concerned. Until a few years ago, cybersecurity didn’t break the top 10 list of concerns for most IT departments, and it was buried even further at the C-suite level. However, recent events have helped push cybersecurity into the IT mainstream and increased the focus on building the knowledge necessary to fight the criminals.
Attacks on large corporations over the past year have made big headlines, leading to even more increased security. Retailers such as Target, Home Depot and Neiman Marcus have been attacked, and even the hospitality industry – in particular, PF Chang’s – is not immune from harm.
The result is an all-out arms race with cybercriminals. For the most part, the good guys are losing the war.
The security industry is responding by acknowledging that there is a shortage of training and a shortage of professionals to assist with fighting cybercriminals. At a recent cybersecurity conference, a panel of security professionals called for the largest certification companies to get together and create a common core approach to fight the problem. Although we are in the infancy of the cybersecurity career path, the bad guys are well ahead and not slowing down.
Cybersecurity has evolved from your teenage neighbor looking to hack into a company domain for fun, to state-sponsored, sophisticated attack methods aimed at stealing private information and even bringing down entire corporations or countries. The question isn’t “who is attacking,” it should be “who isn’t attacking.”
For example, it is widely believed that countries such as Russia and China have sponsored cyber attacks, but now North Korea and other Middle Eastern countries are involved, as well. These attacks are activist driven, criminally motivated and well funded, but they aren’t the only cybercriminals in the world. Corporate espionage is a growing concern, and your competition could be looking to steal your contacts and corporate secrets.
How we respond to these threats may be the difference between our business thriving or failing. IT departments have historically focused on building a strong perimeter to keep the bad guys out. While that still makes sense, the level of sophistication of cybercriminals continues to grow, and the days of simply hoping to keep bad guys out are over. A reactive security professional has already lost the fight.
Next-generation firewalls, intrusion detection systems, intrusion prevention systems, patching and monitoring are all good tools. In addition, security professionals should not overlook the threat from within. Monitoring should include data coming into the secured perimeter, as well as what is going out. The corporate employee could be the biggest threat of all for loss of information due to smart devices and thumb drives. If unchecked, bring your own device, or BYOD, is a very real threat to most companies. For example, a lost cell phone or iPad with confidential information could be costly in terms of lawsuits and reputation. In addition, the “Internet of things” – any smart device attached to a network – should be viewed as a possible threat.
Cybercrime is a real threat to all companies. Many smaller companies may think that they aren’t a target simply because they are small and not as well known, but with the automation of tools easily found on the Internet, everyone is at risk. Cybercriminals have moved beyond credit card information and are looking to steal your clients, trade secrets and maybe even your employees. Your organization’s board of directors need to be involved in the security decisions of their companies. The days of dismissing security as being too expensive are over.
Tom Aune, MCSE, CISA, is senior manager of information technology for PKF Texas. Contact him at (713) 860-1400 or email@example.com.