Business Technology: It's Time To Stop Playing Chicken With Cybersecurity
Why are so many of us doing so little about cybersecurity? Why do so many companies continue to tolerate unsecured systems? Some insight might lie in the research done by a physician in Vienna, Austria, more than 150 years ago, Bob Evans says.
So last time we kicked around some scenarios about the forthcoming epic, "The Invasion of the Trial Lawyers," where the zombies aren't the human kind but rather the systems kind--to be precise, the "unsecured systems" variety. The variety that's open to detection, attack, takeover, and the hosting of malicious activities, all traced not to the actual perpetrator but rather to the unsuspecting and, it must be said, utterly irresponsible owner/operator of that thing we used to call by the bland and nonjudgmental name of "unsecured system" but that is rapidly becoming the much more loaded metaphor of time bomb.
Now, it would be reasonable to ask, "After all the terrible worm and virus and other types of attacks over the past few years, and the billions and billions of dollars it cost to clean up those messes, and the utterly astounding business risks incurred in such attacks, what company here in the 21st century would be so stupid--so moronically unthinking and irresponsible--as to leave systems unprotected? To leave known flaws unpatched? Who would allow this to happen?"
Well, let's take a look: a new worm whose "payload threatens systems worldwide" and "combines multiple vulnerabilities" was discovered a week ago, and take a guess how it's getting inside the Windows systems its targeting: It scans for unpatched systems. And it's finding lots of those, in spite of the fact that fixes for both vulnerabilities are available from Microsoft via its Windows Update service.
What will it take for all of us to adopt rigorous processes of appropriate hygiene? What has to happen before CIOs and CEOs and CFOs begin to treat these potentially massive exposures as seriously as they now regard financial practices? How massive will the damage and destruction have to get before they say, "We need to do something about this!" Of course, they'll probably first say, "Why didn't YOU do anything about this," but that's beside the point--the day of reckoning is coming, and we need to look inside ourselves and ask: when it hits--a colossal, devastating, deeply malicious virus that will combine the worst features of all previous attacks and roll them into one new plague that will dwarf those others--will we be prepared? Will our company be safe? Will our operations be inoculated, will our customer information be secure, will our partners' hygiene be as solid as ours? Or will we see our company's name in headlines for weeks, associated with charges of wanton irresponsibility, reckless disregard for the privacy of its customers, archaic processes, shameful lack of preparedness, shoddy business practices, backward thinking, and all of those other types of character traits that cause investors to dump at any cost? And customers to take their business elsewhere? And if you've done so much as a nickel's worth of business in New York State, then you can expect to see Eliot Spitzer rub his hands with glee as his crew starts sending out the subpoenas, drawing up charges, and applying the boss' pancake makeup so he can go on national television and explain how he Will Not Stand for such malfeasance and neglect of duty, and how nothing short of an exhaustive internal probe will suffice? Yeah, that's gonna be a fun press conference to watch with your CEO, especially the point where he turns to you and says, "Please tell me this couldn't possibly happen to us," and he couldn't be more earnest except for the fact that he doesn't really mean "please."
Is your company prepared? Do you have unsecured systems?
More parochially, do you have a head of information security--someone with that formal title, and that formal responsibility? Do you have one throat to choke, or are your security practices and enforcement still headed by a cross-functional task-force that's overseen by a blue-ribbon panel? Do you have instant access to audits of all your systems offering 100% certainty on whether they are secure or unsecure? As your wireless devices have exploded in overall volume and types of device, and as their access to all manner of corporate information has soared, have your overall hygiene processes kept up? Are your wireless systems as impenetrable as your wired ones? How credible an answer could you give your CEO when the question comes up: Could this happen to us?
And here's another source of intense heat that could be coming your way: your technology vendors. As they begin to become secondary but by no means trivial targets of massive lawsuits triggered by the sabotage of unsecured systems by hackers to wreak havoc on other companies' operations, the plaintiff lawyers will ask, "Who made the hardware that was so easily compromised? Who made the software that was so easily hacked? Who made the networks that were so easily breached? Clearly, they're all to blame, and even more clearly, we will go after every last one of them." So is it feasible to at least consider that a software vendor facing such potential risk might want to get some idea about the levels of preparedness among its customers? Would a software vendor, looking to cover its own legal keister, have the right to ask you for an audit of the security of your systems? And based on the results of that audit, would it have the right to slot you in one of several risk categories--off the charts, dangerously high, scary, iffy, not bad, solid, very good, and impenetrable--and then base the license fees it charges you on your grade? Or could it institute a "security-risk surcharge" that you'd be forced to pay if you wanted your license to remain valid?
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.