EDUCATING THE EDUCATED: IN DENIAL OF DENIAL
Even the most educated CEOs and CFOs often view the IT Department as a cost center. The concept of security being a cyclical process can be a foreign concept to many that are not in the technology field. It takes time and energy to re-evaluate the vulnerabilities, risks and potential threats that can devastate an organization. In order to stay apprised of the latest methodologies of hackers, it also takes continued education. Many highly educated CEOs and CFOs believe they have done their due care, by making a one time investment in their company’s security program, in order to show stakeholders that they have complied with either; regulatory requirements, or the standards of their respective industry. Convincing upper management to continue to invest in the cyclical process of analyzing a network, and training the employees is a potential challenge for many organizations. The commitment will cut into the profits of the organization. After all, a successful company is a profitable company.
The good news is, most organizations are no longer in denial of the “C” word. It used to be taboo to even utter the “C” word, for fear they would be plagued by this terrible word; Compromised. A compromised network can cost a company millions of dollars in collateral damage, including: fines based on lack of regulatory compliance and the potential cost of credit bureau reports for clients whose information was breached. If 100,000 customer records are compromised, without adequate protection, the cost of credit bureau reports could be enough to put a company out of business. If the cost of a credit bureau report is $25 dollars, and reports are run twice a year for 5 years; that is $25 million dollars in collateral damage. The potential for that type of monetary loss, in many instances, is enough to get companies to invest in a risk assessment in order to mitigate potential problems.
In the basic scenario of a bank branch, in 1918 a risk assessment would uncover the most likely way the bank would be robbed. In the assessment it would have been determined that a gang could come into the bank with their “Tommy” machine guns and force the employees to open the bank vault. In order to mitigate the risk, the bank could hire a 20 year old guard. The guard would have a “Tommy” gun and stand guard at the bank vault. This solution would reduce the likelihood that the bank would be robbed.
The problem with the one time investment in risk assessment is, organizations aren’t taking into account that technology can change at a rapid pace. As technology changes, business functions will naturally change with the adoption of new technology. When business functions change, it introduces a new set of threats that can take advantage of the new vulnerabilities that are introduced with the new technology.
In our bank scenario, if we fast forward back to the year 2018, there are new ways of banking. People don’t have to physically come into the bank. We have online banking, thanks to the Internet. Online Banking allows a customer to access their funds without physically entering the bank. Online banking obviously introduces a new set of risks that could compromise the customer’s funds. Unfortunately, many organizations will never recognize the new risks because of upper management’s perspective on risk assessment. Even if time and resources are allocated to a new risk assessment, the methodology used will normally have a fundamental flaw.
Rather than analyze the vulnerabilities of the bank and examine the threats that could take advantage of those vulnerabilities; many people will ignore the threats because they know they have mitigated bank robberies in a previous assessment. In addition, they will not take the time to verify if what actions were taken, to mitigate the risk, are actually effective any longer. Unfortunately, our mitigation which included hiring a twenty year old security guard may no longer be a good solution. Our security guard is now 120 years old, and in the unlikely event he is still alive, probably won’t be able to lift the “Tommy” gun. The educated, need to be educated about the need to go through a proper risk assessment every year.
Upper management recognizes that their organizations need to do a risk assessment in order to protect their assets, but fail to treat the process as a cyclical event. By not investing the time and resources into proper risk assessments, upper management is in denial. Their networks could suffer attacks from new threats that can take advantage of the new vulnerabilities which are introduced with new technology. That denial could lead to: denial of service, loss of data, and potentially the financial ruin of the organization. It is true that the IT Departments are a cost center. Technically, IT Departments don’t make money for their organization; they save money. In order to save money, it takes an investment in training for the staff, and annual risk assessments.
In order to recognize and understand the vulnerabilities and threats, it is important to understand how technology works. There are numerous classes that are offered by EC-Council. Each class helps employees become more efficient at protecting their networks. A few of the classes include:
- Certified Ethical Hacker (CEH) demonstrates how hackers exploit vulnerabilities
- Certified Network Defender (CND) identifies ways to defend networks
- Computer Hacking Forensic Investigation (CHFI) explains how to collect evidence from an attack
- Certified Chief Information Security Officer (CCISO) helps identify risks and develop safeguards
The investment in training can help employees become better at defending their networks, by honing their skills at identifying vulnerabilities and the threats that can take advantage of those vulnerabilities. Utilization of the newly acquired knowledge will allow staff members to perform more detail oriented risk assessments, which could drastically reduce the likelihood of a security breach. The staff will be able to identify the previous mitigation techniques that are obsolete, and those that need to be implemented to enhance the overall security of the organization. As a result, the organizations will avoid the collateral damage associated with a breach of 100,000 records. The $25 million dollar question becomes, how can the highly educated deny the need for continuous training and a cyclical risk assessment process?