IT security is changing visibly in response to threats arising from the latest technological developments. Organizations must cope with more complex IT environments, including the rapid growth of web-based technologies in business (e.g., cloud computing, social networks, and mobile apps), the expansion of wireless technologies, the bring-your-own-device (BYOD) trend, and increasingly sophisticated cyberattacks. In March 2014, IDC's prestigious IT Security Roadshow brought together IT professionals, independent experts, and industry leaders to discuss the latest trends and developments that help organizations across all industries to make smart strategic investments in IT security, as well as improve the effectiveness of day-to-day operation. This blog brings a view of this event and presents key messages from conference speakers for manufacturers across Central and Eastern Europe, Middle East, and Africa (CEMA).
The security holes in IT systems are not an issue until fraudsters, malware, or hackers sneak through them. The majority of companies report that they have in place some kind of IT security policy and a basic IT security solution (antivirus, firewall, etc.), but this constitutes a rather passive approach to IT security. In terms of some more advanced IT security features that could pose a potential hurdle to a direct attack, a strikingly high number of firms simply fail. The prevailing notion we see among Central and Eastern Europe (CEE) organizations, including manufacturers, is that antivirus and a firewall do the security job for them. An audience comprising mainly IT managers (the majority of them from organizations in the Czech Republic) attending at the IDC Security Roadshow, 2014, in Prague, confirmed that they are likely to adopt a proactive approach to IT security only after they have faced a real-time IT security issue. In other words, they admit they are prepared to work in insecure IT environments in which they are vulnerable to direct attacks.
It is obvious that investments in IT security are unpopular and are often viewed by top management as not delivering added value. As a result, companies lack appropriate IT security budgets. The effect of the prevention of losses may not always be easy for security stakeholders to advocate. Figure 1 shows recent audience responses captured at the conference. The results indicate that over one-third of top organizations' leaders are likely to underestimate the importance of IT security policies and solutions.
How can we prove that a new IT security solution is worthwhile? How do we even measure IT security? How much should we spend on IT security? Are we wasting money on IT security? These are some examples of difficult questions that usually arise when managers speak internally about IT security. And CIOs must know the answers in order to advocate the importance of IT security and to secure financing for the improvement of it. As line-of-business (LoB) managers are leaders in the process field and decision makers in IT support, the role of the IT department in delivering security expertise is naturally increasing in importance.
IT and the opportunities for cybercrime are too ubiquitous nowadays to maintain an ambivalent attitude to IT security. Bypassing IT security is not worthwhile and can cause serious damage to company data, assets, and goodwill. In manufacturing specifically, many critical plant-floor systems appear to be increasingly vulnerable to cyberattacks. What is worse is that the damage is often irreversible. You can never get back your stolen company data or ideas; you can hardly fix a faulty production batch; and it is very problematic to quickly restore your damaged brand image or trust among your business partners.
The examples of live hacking shown at the security conference clearly demonstrated how quick, easy, and cheap some kinds of hacking are. No wonder that this was one of the most discussed presentations in the conference plenary. Whereas hackers target individual companies or accounts, malware can hit a large number of companies and users across the board. In another question in the poll, the delegates firmly confirmed that they really fear malware attacks (Figure 2).
But, for the majority of CEMA manufacturers, employees still seem to be possibly the biggest security risk. That notwithstanding, the good news for many companies is that, in this case, basic IT security can be substantially improved without any large-scale IT investments. A comprehensive IT security policy is the high-level framework that sets the rules of the game. For example, a lot of malware is spread within a company by internal users: browsing web pages, using public email accounts, using their own hardware (flash disks, portable storage devices, etc.). Another quick-win initiative aimed at improving IT security is the prevention of "social engineering" in your company. The objective here is to minimize cases whereby an attacker can access confidential information directly from employees. Many tricks are known and well documented by which fraudsters can make employees divulge sensitive information (passwords, user accounts, IT security policies, etc.), which is usually used later by cyberattackers. With the increasing deployment of machine-to-machine (M2M) solutions, radio frequency identification (RFID), and similar technologies, alongside the availability of scanning devices, an attacker does not even need to target employees in many cases; he or she simply needs to gain illegal access to a company's premises.
Third parties accessing companies' IT systems were mentioned as another frequent source of significant risk for manufacturers. When dealing with IT purchases, companies are exposed to the risks of subcontractors, especially those subcontractors that are effectively hidden. This is unfortunately a very common practice in IT. Many IT companies collaborate with various third parties and freelancers, without having much control over them. The more subcontractors are involved in IT deliveries, the higher proportionately the security risk is.
Similarly to how business processes should be defined, analyzed, and described before a company even considers any IT support for it, investments in IT security solutions should be thoroughly planned and researched. It is expedient to map the IT environment and take efforts to identify and assess potential risks, identify your enemies, and uncover security holes before an expensive complex IT security solution is deployed. It would actually be a huge mistake to spend large amounts on a solution (and its maintenance) that does not protect the company against actual or foreseeable risks. New IT security threats will always arise, but it is logical and practical to fight the most imminent threats first.
When the worst scenario arises and a security breach, malware infection, or large-scale attack happens, forensic IT solutions and services are there to help. The latest tools and skills of "forensic IT analysts" were presented and discussed at the 2014 IDC Security Roadshow. These can prove to be very valuable; the extent of the security breach can be easily assessed with these tools, and the attacker can be, at least partially, traced. In terms of IT security, there is nothing worse than a long-term hidden infiltration into internal IT systems.
- Martin Kuban, IDC CEMA