At a recent technology breakfast, I heard an attendee ask a speaker about an approach to modernize security. The question reminded me of a thought I’ve had often: You can’t build without a foundation.
Modernizing security sounds like a great goal, but the reality is, most organizations are still struggling with the basic elements of securing information and information assets. New tools and technologies can make a big difference, but organizations must first deploy sound policies and processes to protect data and information assets.
All breaches can be traced back to the action or lack of action of a human being, so that’s a good starting point.
- A hacker exploits a known vulnerability. How? A system administrator did not apply a patch.
- A web application is broken into and personal information is stolen. How? A developer wrote the code with no eye to security, and did not include security in the testing prior to deployment.
- A nefarious user remotely turns off your refrigerator. How? You never reset the password from the manufacturer’s default setting, which is publicly available on the Internet.
New technologies – same issues
As new technology is implemented and the application of technology pervades every aspect of our lives, we can easily come to think that new countermeasures are required. First, though, we still need to think about how we lock the digital “filing cabinet” to make sure information is not exposed or altered.
In reality, most organizations won’t realize the full benefit of spending their limited funds on new cyber tools if they do not apply basic security principles first. These basic principles are the key to preventing a large percentage of breaches and attacks. Chief among these are:
- Controlling access through strong identification and authentication
- Safeguarding data through the use of strong encryption
- Practicing good hygiene – applying patches, securely configuring devices, etc.
The focus on securing computers pre-dates the Internet with the work done by the National Computer Security Center in 1980s. The guidelines and standards developed at that time, which introduced the Confidentiality, Integrity and Availability model, still apply to any technology used to process and store information, whether it be a mobile device, a sensor, a process control system, etc. The requirement for “trusted distribution” was identified in the early standards but now we refer to it as “supply chain risk management.”
The basic tenets of securing systems and data still apply. They just need to be interpreted and adopted to new technologies.
Do you know if your organization has the proper controls in place to safeguard your data and information assets? Do your employees understand their roles and obligations to minimizing a cyber-breach?
CGI recommends conducting a baseline assessment of your security program to identify gaps and areas of improvement and make updates to the program as your business changes or new threats are identified. Cybersecurity is a daily challenge, not a task you can finish—but failing to approach it systematically is a risk no organization can afford to take.
Learn more about CGI and cybersecurity in the U.S.