“In this business, by the time you realize you’re in trouble, it’s too late to save yourself. Unless you’re running scared all the time, you’re gone.”
Relentless hackers infect millions of personal records by exploiting a tiny hole in the protective wall surrounding the Internet. A mid-level analyst, frustrated that his warnings of system vulnerabilities went unheeded by management, goes rogue and makes them pay for not listening.
A disenfranchised employee steals company secrets and shares them with the competitor. A happily employed manager connects to the company system from a local coffee shop and unknowingly exposes sensitive corporate data to unseen eavesdroppers who just hit the jackpot.
Each time news breaks about another high profile security breach, or a cleverly named virus is unleashed on the Internet, the mad scramble for better security ensues. No one wants to be next. But where to spend limited security dollars is a challenging question.
While some attacks are clever – even innovative – many more are surprisingly unsophisticated, leaving executives scratching their heads in frustration because they didn’t see it coming.
Should we change the locks or replace the roof? Should we retrain our employees or replace their mobile devices? Should we reinforce our firewalls or hire more security personnel?
Like guards on castle walls, IT security systems patrol and protect the corporate empire and its electronic treasury. They do reconnaissance on system activity, monitoring devices, users, authentication attempts, activity patterns, and on and on.
Despite advances in these systems, preventing and protecting against every potential threat and attack is impossible. There simply are too many interconnected components, combined with fallible human users, creating a security surface that is too complex and porous to defend in its entirety.
And there’s no crystal ball in security.
Even the smartest machines can’t predict what type of future attack is on the way. No one saw Heartbleed on the horizon. And hackers never stick around their own crime scenes, so by the time businesses step up security to protect against the latest attack pattern, the risk has already changed, and new anxiety about what’s next sets in.
The threat from within – whether malevolent, like the NSA breach, or inadvertent, like a stolen or lost laptop – is much more common, much harder to sniff out, and can do much greater damage. No machine can get inside the head of an angry ex-employee or prevent someone from leaving their device in a cab.
There is hope, however, and smart companies are turning to data for answers.
Innovative data strategies can augment a company’s ability to predict and prevent security lapses, and help executives prioritize security spending:
- Storing loads of information about system access and communication patterns, big data style, can provide new security insights, highlighting changes in behavior and differences in behavior among peers or devices in the same role.
- Including non-IT data in the company’s overall security profile, such as employee profiles, resignations, terminations, employee sentiment, and contractor profiles, could help tip off management to a rat in the ranks.
- Monitoring employee sentiment and feeding that data back into security systems can provide effective predictive analysis.
And old-fashioned information strategies remain essential:
- Sharing data about internal cybersecurity events with other firms in your industry or beyond can help identify current prevalent threats and patterns.
- Assessing the security capabilities of business partners and requiring their compliance with security polices can close a large hole in your security blanket.
- Reexamining and adjusting access privileges might prevent inadvertent misuse of data by employees, responsible for over one-third of information losses.
- Finally, creating and communicating policies around the appropriate use and protection of corporate data is the all-important first step to achieving better security.
Save yourself before trouble arrives. Feed your machines and your people with better information to make them more effective stewards of your corporate treasures. Rather than running scared, leverage data to run safely.
Originally published in SmartCEO Magazine, July/August 2014