Threats and attacks against information systems are at an all-time high, according to Verizon’s fourth annual Data Breach Investigation Report (DBIR). The report measures data breaches based on compromised records, including the theft of Social Security Numbers, intellectual property, credit card numbers, and bank account credentials, among other things. Many of these attacks are launched by criminals who are targeting smaller organizations than ever before, and most of these breaches continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.
The real issue here isn’t about technology; it is about the importance of having people with the right skills who know how to configure and implement the existing technology once they understand the problems.
Protecting an organization’s infrastructure, sustaining a secure environment against new threats from external agents’ hacking, and installing malware to compromise the confidentiality and integrity of servers pose many challenges for smaller, softer, and less reactive targets than a financial institution. Criminals may be making a classic risk vs. reward decision and opting to ‘play it safe’ in light of recent arrests and prosecutions following large-scale intrusions into financial services firms, such as the theft of 130 million credit and debit card numbers from, among others, card processing giant Heartland Payment Systems. This could be one of the chief reasons behind the rash of smaller strikes on hotels, restaurants, and retailers, which represent a lower-risk alternative for cybercriminals.
While progress has been made in identifying and addressing security weaknesses, deficiencies persist. Every organization has access to some of the best software and hardware technology in the world, but according to the Verizon DBIR, 96% of the time, they do not have the right people who know how to apply these simple or intermediate controls.
The (ISC)² 2011 Global Information Security Workforce Study (GISWS) indicated that organizations need to hire information security professionals who have the proper balance between knowledge, skills, and abilities to effectively mitigate the risks associated with today’s digitally connected business environment.
Overall, the Verizon DBIR report found little change from year-to-year in relation to the causes of cybersecurity threats. Instead, the threats have more to do with not using, under-using, or misusing something old. The report’s recommendations focus on changing default credentials, reviewing user accounts, restricting and monitoring privileged users, implementing secure remote access services, conducting application testing and code review, among several others.
As an observer of both the Verizon DBIR report and the (ISC)² GISWS, I firmly believe that organizations need to secure their vulnerable infrastructure from cyber attack. Whether you believe it is new technologies that can solve this problem or improved regulation that offers the best chance for greater security, it is still going to take the right people. Senior management should be looking to information security professionals who have attained a security certification to validate the individual as having the knowledge, skills, and the ability to defend an organization against possible breaches and build up a defense.
Security management at smaller organizations, as well as large, should require a proper balance between certified information security professionals, policies, processes, and technology to effectively mitigate risk. You can have the best tools in the world, but if you do not have the right people to use them, then they will do your organization little good.
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, is a member of the Infosecurity magazine editorial board and the executive director for (ISC)², the largest not-for-profit membership body of certified information security professionals worldwide, with nearly 80,000 members in more than 135 countries. In his current role, he is responsible for overseeing the management team and guiding the organization’s strategic direction in accordance with the (ISC)² Board of Directors. Before joining (ISC)², he served for five years as the chief information officer (CIO) for the US Department of the Interior, and received the Distinguished Rank Award from the President of the United States, the highest lifetime award attainable by a federal civil servant.