I was fortunate to be a chosen delegate at a recent International Conference. The Conference on Data Security was organized by DSCI – Data Security Council of India.   This body has been set up to work on systematizing the processes of Cyber Information Security and controlling Cyber Crimes.

Ensuring the security of data and content is of paramount importance – laws and rules can do this much and no more. There is no gainsaying that it will be necessary to build, maintain, implement and follow the required processes and methodologies.

With e-commerce going to grow by leaps and bounds in the coming years, the need for a secure system along with the appropriate checks and balances will increasingly be felt across organizations and sectors.

In the midst of the global economic downturn and the resultant low business sentiment, there might certainly be a focus on driving business needs more aggressively – by even possibly cutting a few corners, turning a blind eye to some business happenings and other related matters. In this midst, business owners might not devote the needed time and attention to Data Security and maintaining high standards of Information security in their organizations.

This lower focus might just be the opening that unscrupulous operators of cyber crime might be waiting for to inflict that killer knockout punch to add the the market misery.

I have attempted to capture some key elements that would be of relevance across borders and organizations. These may not be exhaustive – but are directional and will help personnel involved to understand the intricacies and possibly drive the thinking in organisations.

Five Steps towards Building organizational Cyber Security

1.  Employee Training – on Cyber Security needs
Raising the security awareness level of associates, employees and stakeholder through effective training conducted periodically is a positive  way to ensure security is on their radars at all times and reflected in their working behavior at all times.

Employee training is not only a requirement for most businesses, but it is also one of the best ways to minimize the corporate’s exposure to the most damaging type of security attacks – the unintentional ones created by uneducated or careless employees.

Many current attack methods depend purely upon the behavior pattern of unsuspecting users. This could be in the form of the employee clicking on a malicious link or executing a harmful program; being lured to a harmful website, or even by something as innocuous as using a USB drive.

2.  Periodically enforce testing of  operating systems, networks and applications
Most organizations do simple external network and operating system vulnerability testing, which is a great way to identify Internet exposures.  However, these basic vulnerability assessments and penetration testing processes do not perform application level testing which has become a common attack method.

Two application level attacks that are often getting to be seen as a means for cyber crimes include SQL injection and buffer overflows. Application level testing can identify poorly designed and coded programs (such as home grown applications and online backing programs) that are susceptible to these types of attacks.

3.  Always do security testing and validation of newer technology before deploying it
It is absolutely sacrosanct in the changed worldspace that designers and developers strictly test and validate newer technology than resort to their hasty implementation. The usage of new tools across Web 2.0, P2P, virtualization and cloud computing are growing rapidly.

2008 witnessed a strong adoption of virtualization and a gradual rise in cloud computing. However, cloud computing will be the cause of major security concern among security professionals in 2009. This influx of new technologies, both business and consumer technologies, has opened additional avenues for cyber attackers to steal trade secrets and confidential business information.  It sure is good to be the first to launch a new tool and application to be distinct from the crowds.  It is better to be safe and a tad slow than be sorry in haste.

4.  Have a mobile device policy for employees
It would not be far from the truth to state that there are not very many companies that have successfully   implemented a detailed policy for usage of mobile devices within premises and also outside of the workplace.

PDAs, Blackberrys and thumbdrives have become common in the workplace. However, many companies do not have systems to monitor what kind of information is stored on them by employees and users.  Employees need to be educated on what should and should not be on a device used outside of the workplace. Proprietary, private or financial information should be stored only if absolutely necessary. It’s also important to protect sensitive information by passwords in the event such device is lost or stolen.

5.  Use care while using social and professional networking sites
Social networking has gathered momentum with added features in applications like Facebook, Orkut, LinkedIn and the slew of others. 2008 also witnessed the slow rise in attacks in these applications and 2009 can also be expected to see the rise in social networking websites to spread malware. Indication of this was observed in August 2008 when Facebook admitted that up to 1800 users’ profiles were defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.

To summarise, it behoves on each and every user, regardless of rank, designation, extent of technology savviness, location, to be wary and cautious in the usage and watch out for any likely slip ups that could jeopardize the business efforts in a single click.

Comments

comments