Melissa Hathaway, President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center wrote a great article yesterday about the myths of cybersecurity.
In a nutshell …
Myth 1: Consumer protection exists in cyberspace
Myth 2: Firewalls and virus scanners protect my computer and my enterprise
Myth 3: My government has the solution and will protect me
Myth 4: Physical assets are more valuable than information
Myth 5: Laws are keeping pace with technological innovation
I would like to especially call out Myth 2. There seems to be a false sense of security with installing firewalls, intrusion detection systems, virus scanners etc. within enterprise and industry. I have come across many situations within the manufacturing and control systems space where the engineers are totally satisfied with the security of their networks (as they have firewalls and virus scanners in place). However, what they don’t realize is that their network is still vulnerable and open to other forms of security breaches/ problems.
Security within a network is not just about physical implementation and should not be centered around it (which unfortunately a lot of people do). Security within enterprise or/and automation systems should be policy based with physical implementation (like firewalls and virus scanners) being one part of puzzle. No matter how big or small your network is, it is a good practice to have policies in place — you always want to be prepared for eventualities.
“Oops, I didn’t mean to do that!”
Security problems don’t just happen with viruses, it could be as simple as a factory worker accidentally pressing the wrong button, uploading the wrong ladder logic program, accidentally pulling out the wrong network cable from the network switch or accidentally dislodging the power cord.
Securitysearch.com gives a good definition of a “Security policy”:
“…a security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets. A security policy is often considered to be a “living document”, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.”
I would like to add to the Myth list –
“Myth 6: My network is 100% secure”
“Myth 7: Hackers always cause network security problems”
There is no such thing as a network being 100% secure. A good secured network is one that has policies/ steps to minimize loss of investment and control breaches/ exploits (purposeful or accidental).
There is also a common perception that network security problems always originate from the outside (from hackers or crackers). Not all security problems are purposeful, they can be accidental too and could originate from within the company. A good security policy accommodates and plans for internal and external occurrences.
To end this off, here are some steps companies should take to protect themselves:
1) Learn and educate yourself — Get a good understanding of the types of security threats you face in your environment
2) Do a risk assessment that reveals the crucial/beneficial areas of your network investment
3) Create policies and procedures that integrate security in accordance to your assessment
4) Integrate/ deploy up to date technical controls
5) Plan for eventualities and how to respond to them
6) Continually update/ revise policies
Of course, I am just scratching the surface here as network security has many facets to it. It does however give you something to think about and is something that can’t be taken lightly.
Do you have other Myths to add? Let us know in the comments area.
