How to avoid a hack

In order to shield themselves, businesses must understand the threats they face and develop stronger corporate policies.

However, according to recent research from IDC, only half of Canadian
firms have acceptable use policies (AUP) in place for their employees
to follow. Further, only one in three firms communicate these policies
with any frequency.

Another survey that polled attendees of the SecTor (Security Education
Conference Toronto) conference in Toronto — which attracts leading
members of Canada’s IT Security community — echoed IDC’s findings.
Respondents expressed concern over a lack of strong management
leadership and employee security knowledge.

Rising complexity of hacking attacks

Despite this complacency, corporate attackers continue to devise crafty
and ingenious ways of exploiting enterprise infrastructure flaws.

Today’s attackers are becoming much stealthier and can often bypass
security without even utilizing sophisticated technology. Many have
even adopted no-tech hacking tactics — a phrase coined by professional
hacker Johnny Long — such as shoulder surfing, Google hacking, vehicle
surveillance and dumpster diving.

But it’s the more innovative security attacks that rely on emerging
technology that have fostered an open discussion about the need for
best practices. One emerging technology that requires more attention is
Radio Frequency Identification Devices (RFID). Most companies do not
understand the extent of RFID security risks, and thus do not have
adequate protection from attacks associated with its use. This has not
slowed RFID adoption and companies will need to develop education
strategies and best practices to mitigate many potential security
breaches.

Whether stored on laptops, USB keys or on the back end, companies need
to ensure that data — should it land in the wrong hands — is not
accessible. With looming underground security threats such as identity
theft, spamming, phishing and corporate espionage, combined with the
often overlooked “insider threat,” companies cannot afford to have lax
security practices or policies.

Need for training

Very large organizations in already heavily regulated industries have
likely spent significant time and money working to address security
issues. Legislation such as the Canadian Privacy Act and the Personal
Information Protection and Electronic Documents Act (PIPEDA) are
positive first steps in providing the impetus for companies and
government to bolster IT security, but much more still needs to be
done. And too many organizations are mistakenly convinced that they
already have the necessary protection in place.

From a practical point of view, companies can’t devote all of their
time to security concerns. However, they should be taking a closer look
at their data assets and where those assets reside to determine which
employees need specific security training. This process should involve
everyone, from the IT system administrators to C-level business
executives.

Security awareness training, buy-in and enforcement success starts with
effective leadership. Executives and management personnel across Canada
need to significantly step up their efforts. Security education should
also include policies that are incorporated into employment contracts,
and implementing formal policies designed to reduce the incidence of
identity theft.

By participating in security blogs, message boards and conferences IT
professionals can hone their security skills in a more immersive
community-based way. Other employees need ongoing updates from HR and
IT detailing what they should and shouldn’t be doing with passwords,
their laptops, the network, and other digital assets.

Throughout Canada, a number of dedicated user groups and education
conferences are available to enable IT professionals to stay on top of
the latest IT security threats and defenses. In Western Canada,
CanSecWest Vancouver runs annually in the spring. For central Canada,
TASK (Toronto Area Security Klatch) offers monthly meetings free of
charge, and the annual Toronto-based SecTor security conference in
October brings together security experts from around the world to
discuss the most recent IT issues.

At the end of the day, comprehensive IT security involves an ongoing
process that must encompass technology, process and people. Companies
need to carefully assess the impact of security threats, maintain
compliance with myriad legislation and keep employees out of trouble
while balancing costs relative to risks. To better combat threats, it
is critical that companies address internal apathy and continue to make
security a higher priority.

David Senf is Director of Research, Canadian Security and
Infrastructure Software, for IDC Canada. Brian Bourne is the co-founder
of Black Arts Illuminated Inc.