How Cyber-Safe Are Your Data?

One of the positive peripheral results from the flurry of reactions to the movie The Interview, was a media focus on cyber-terrorism. The recognition of cyber-attacks has been slow to evolve but is gaining traction.

In the United States’ last major threat-assessment document, prepared during the final year of the Bush Administration, the term “cyber-threat” is mentioned fewer than 10 times. Last year’s assessment, prepared by the Obama Administration, mentions “cyber-terrorism” fewer than 100 times. The recently released joint intelligence threat-assessment document mentioned cyber-terrorism more than 1,000 times.

C-SPAN recently televised the briefing to the U.S. House Intelligence committee by the National Security Agency (NSA) and CIA. As redacted as I am sure it was, it was still chilling. Malware (most likely introduced by China years ago) has been identified in several locations in the infrastructure for the nation’s power grid and water purification and delivery systems. Although this specific threat has been neutralized, the idea of a foreign government or other groups planting a latent threat that can be activated when and if the mood strikes is very unsettling.

These are not simple, annoying denial-of-service attacks. One of the municipal power-generation facilities cooperated with the NSA and permitted activating the malware on one turbine generator control system. The program, once activated, took control of the turbine and forced it to run out of safe operating limits until it self–destructed. One can easily imagine the impact on a major city and the entire economy if this or similar incidents were to happen.

Last year’s data breach at Sony should raise the hair on the back of the neck of CIOs everywhere. The deluge of  Sony’s intellectual property that was released was devastating. To add insult to injury, the content of hundreds of emails was also released. The emails contained less-than-professional discussions and opinions that the senders felt confident would never see the light of day.

No one should feel safe or invulnerable because he thinks his network and communications are secure and private. Any disgruntled employee or unscrupulous competitor can do harm that will prove difficult to contain and mitigate. Imagine all of your sales pipeline, quotations, customer list, and development information in the hands of someone with ill intent.

This concern extends to customers and suppliers as well. Issues can become exponentially more difficult to contain the further removed they are from your direct control.

Some common sense approaches to avoiding cyber-breaches include:
• Train all your users concerning secure data best practices
• Don’t open links in emails where the source is not trusted. (“Trusted” does not include jokes and YouTube links from your brother-in-law.)
• Train employees or, better yet, have IT enforce rules about browser settings, including which sites employees can’t visit and how spam filters should be set.
• Use anti-virus software and be sure definitions are current. Threats evolve every day.
• Treat communications and file transfers with care, no matter the source.
• Exercise caution for flash drives used by your employees and visitors.
• Use good judgment when accessing public WiFi and hotspots.

Companies should also have robust disaster recovery and backup protocols. Follow this with something meaningful in the way of process. For example:
• Daily backups
• Weekly backups stored off-site. If you can’t afford a weekly off-site or cloud-based service, at least move the media off-site to a secure place, such as a sister facility.
• Send monthly backups of financials and other important data to a secure storage facility whose primary business is secure data storage.

In the good old days, if you had a decent intrusion and fire alarm system in your facility and a security guard doing a drive-by or walking the grounds, you could sleep like a baby. We find ourselves in a very different and dangerous world today. People continents away who are bent on theft, destruction, and disruption of your business and the larger environment where it operates, seem to have the cards stacked in their favor. A healthy business must be visible and active members of the Internet and social media community. It will become increasingly challenging to balance your public persona and access against thwarting determined people who want to damage your business and your reputation.

I’m confident bright people will develop protective tools as fast as the bad guys find cracks in the armor or open virtual doors or windows. While all of this is being sorted out all you can do is be alert, prepared, on the defensive—and resigned to deal with the fall-out of short-term incidents.

In summary:
• Quantify risk and apply and communication controls.
• Develop contingency plans for the primary disruptions your business could face.
• Train your people to work in a 21st-century work environment safely and effectively.
• Open the lines of communication concerning cyber-security with your customers, suppliers, and local Law enforcement.

As the late President Reagan was fond of saying, “In God we trust; all others we verify."

First published Jan. 22, 2015, on the Quality Management 2.0 Blog.

About The Author