Waging war on cyber threats

The Obama Administration did what many in the political and national security arenas have been advocating for some time – make Cybersecurity its own Department of Defense command on par with Central Command, the organization led by U.S. Army General David Petraeus in charge of all military operations in Iraq and Afghanistan.

The move couldn’t come at a more appropriate time, especially given the recent Wall Street Journal report that cited Internet attacks against specific, mission-critical defense programs as well as the U.S. electric grid are growing in numbers and sophistication. The danger is real, and, what’s more, is not merely limited to national security targets.

Companies of all shapes and sizes suffer from similar attacks and deal with these same issues every day. While no one typically dies from such actions, compromised information networks can put an organization’s very life in jeopardy. What’s more, the threats are as varied and as numerous as any terrorist operation. Swift action is required, and here are three ways firms can take the lead of recent U.S. government actions:

1. Give it its due
Talk is cheap and security policies are only as good as their execution. Due care and monitoring is in order. The risks and liability are too good otherwise. What that means is that not only do CIOs and CTOs need to be involved in setting and implementing cybersecurity programs, but so should the rest of the executive team and, for that matter, all employees.

2. Set priorities
Often times the biggest reason security policies and practices fail is in their approach to solve all the problems at once. Doing so can stretch resources too thin to be effective. The key is to set priorities as a function of the level of risk to the organization as well as the company’s ability to scale. A periodic reassessment is also a wise move. Cyber threats are continually evolving, and so should an firm’s network security posture.

3. Coordinate efforts
While security IT folks are the natural choice to lead efforts, they will by no means be the only ones involved. The ideal situation would be for all departments to have a designated representative coordinate efforts within and outside their area. Herein lies the challenge for any company – policies and practices will often transcend areas of responsibilities for individuals and managers, and failure to make security practices seamless across these lines will create vulnerabilities that hackers seek to exploit.

Taking it a step further
If nothing else, the recent move by President Obama and the Defense Department is a strong reminder of the importance of companies giving network security its due resources and concern. But simply creating a “Chief Security Officer” or “IT Security Czar” position is not enough. Organizations must set up a robust infrastructure that can meet the following criteria:
Flexible – Companies need to make sure their security products and network infrastructures are robust while also easy to implement. If set up times are extensive, such systems could be obsolete before they’re up and running.
Scalable – An organization’s IT security system must also be able to grow when the company does. If not, time and money will surely be wasted.
Cost effective – Maximizing the return on IT investment is important, and that means companies must do their homework to identify system and solutions that are right for their environment, and not necessarily default only to the vendors that are better known.
Support – Regardless of solution, organizations must make sure their partner provides subject matter experts and product specialists that can get them and their team over issues in rapid fashion.

Keep this in mind if nothing else – companies and government organizations are just as much at risk for attacks. Though they may stem from different groups for different reasons, the impacts can be just as damaging.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss