Risky business Featured

8:11pm EDT October 2, 2011
Risky business

For two hours, Tom Reilly sat with Secretary Janet Napolitano, head of the Department of Homeland Security, to discuss the importance of cyber security and how to protect citizens from cyber attack. Today, the threat of cyber attack is an issue that affects more than just big business and government entities, but everyone.

“You read every week about another breach in the industry, whether it’s enemy nation states attacking our power grid, it’s a bank undergoing cyber fraud, credit cards getting stolen or identities,” says Reilly, who is the former CEO of the $181.4 million security and compliance solutions company ArcSight LLC, which was acquired by technology giant HP in 2010. “It’s happening. Clearly the traditional approach to solving security has not worked.”

In light of more high-profile security breaches at companies such as Google and Sony, it is also a problem for which new solutions are plainly needed.

“I talk to a lot of customers who have been investing in security technology for 20 years, spending a lot of money, and yet they still don’t feel secure,” Reilly says.

With technology advancing and changing exponentially, it’s important for companies of all sizes to reevaluate the security measures that they are using to protect their most valuable information, data and possessions.

“What’s interesting is cyber criminals do not distinguish between company sizes,” Reilly says. “They don’t distinguish between industry and they don’t distinguish between countries or public and private sector. They go after the softest target.”

Smart Business spoke with Reilly about how the security landscape is changing for the next decade and what business leaders can do to defend their companies from imminent cyber threats.

For companies that don’t have a risk management strategy, what is the first step in creating one?

I think the first thing is to know, based on your business, what is critical to protect. So if you are a healthcare provider, it’s patient records. If you are utility, it’s keeping up the power grid or protecting customer records. If you are a bank, it’s definitely protecting accounts from account takeover. So you need to identify what is critical to your business that you need to protect. Don’t take just a generic position ? let’s protect everything equally. Protect your crown jewels. Understand where that data, those systems reside and make sure that that data or those systems are well-protected, much more than the rest of your organization needs to be protected.

Which industries are at high risk for cyber crime?

The opportunity in cyber security is a global opportunity, affects companies that are small right up to the largest and it touches many verticals. In every vertical, I can tell you what it is that they want to protect, whether it be intellectual property, it could be financials, it could be customer data, it could be health records or it could be services like the power grids that have to keep power up and phone companies that want to keep phones working.

What are biggest cyber threats?

The most serious risk and the one that can have the most significant impact is one that is called ‘the insider threat.’ And the insider threat is not an attack from outside but it’s an employee in your organization who for one reason or another is a disgruntled employee. Yet you’ve trusted that employee with access to systems and sensitive data. The employee could be disgruntled because they are a poor performer and then they get fired. They could be compromised because somebody is bribing them externally for data, which we come across a lot. Or they could be getting blackmailed, which is also quite common. The insider threat is not only that they have access to the most sensitive information and they can do the most damage, but they are the hardest to detect.

The second area is the theft of intellectual property, and a lot of this is sponsored by enemy nation states who are trying to access intellectual property within companies that have leadership. By stealing intellectual property, you can gain a competitive advantage effectively. Intellectual property could be the designs of a new electric vehicle. It could be the designs of a new plant that’s being built. It could be the spreadsheets that rationalize a bid for a big mining project.

What can companies do to prepare employees for cyber risks?

Continual education is always needed. The reason it’s continual education is cyber criminals are always evolving. They are always introducing new techniques and new capabilities, and they are very, very patient. So they may take six months to a year targeting a specific company to penetrate that company’s network, to get code on there and to have basically sweeper agents that are monitoring what’s happening within a company.

When you start understanding some of these sophisticated things, you suddenly realize that you have to have continual training around what our security policies are, how you provision people to access systems, how you de-provision people when they leave the business. You have to have good rigor in enforcing those policies. You are only as secure as your weakest link. Unfortunately, now the weakest link is not technologies or computers, it’s employees often making inadvertent mistakes and bringing in malicious code into the environment.

How do risk management tools identify cyber security threats differently for businesses than other approaches?

It allows them to measure the amount of risk that they are taking or that they have in their IT environment. And once you can measure risk, you can invest money wisely to reduce or mitigate risk. So we’re changing the discussion from ‘Are you secure?’ to ‘What’s your risk posture?’ You can now look to a chief security officer and say, ‘What’s your risk posture? What’s your risk policy?’ and they can answer that concretely rather than ‘Are you secure?’ which is usually a yes or no. So risk deals with the gray.

What about security intelligence?

One of the assumptions you have to make to really effectively use security intelligence tools is you have to assume that you have been breached and that your network has malicious code or malicious users on it. Your job is to go discover them.

So if you assume that your perimeter has been breached and that either you have a malicious user inside or you have malicious code on your network and you say now I have to go find it, then that’s how you use security intelligence tools. You start listening and monitoring network activity. You start modeling how users use the system for the normal course of business, so that when anomalous use is occurring, it stands out.

How to reach: HP Enteprise Security, (888) 415-2778 or www.hpenterprisesecurity.com