(Weekend Edition)
I was going to start with “Crisis of Confidence” but our executives are not lacking confidence,
I think it is a lack of understanding of theNEW reality of the conundrum we are in as far as Cyber Security goes.
This article is also in the language of the executives:
Why Cyberrisk Is Not Just an IT Issue, but a Legal One Too
The second paragraph sets the stage:
There are two reasons for cyberrisk: the ever present need for computers and the Internet in our society, and the power and number of those devices.
As per Cisco and Morgan Stanley the number of devices on the Internet by 2020 will br about 75 Billion (10 times the number of people on the earth conservatively)
The risk is in the incorrect or security riddled software and hardware developed so far for our use.
A programmer in the 70’s did not create a programming language with the Internet and security in mind. At the time the C programming language and UNIX operating system was being developed by Dennis Ritchie and Brian Kernighan: http://www.iups.org/media/meeting_minutes/C.pdf
Today the programming languages are built for interoperability not security.
Java is designed to be able to run on multiple operating systems and browsers, it was not designed with security as its focus.
The third paragraph says the human element is the good and bad: Connectivity creates major advantages for business operations but also creates great risk from cyber criminals The connectivity allows cyber criminals to operate and they have with great effect.
“Phishing attacks have success rates of 45%” according to Google.
With one click malware can download and you can lose access to your files with Ransomware, and now new ransomware can encrypt access to your favorite games (unless you pay $500-$1000). http://www.theregister.co.uk/2015/03/13/ransomware_video_games/?mt=1426362332394
So we have to build a security system on top of applications that are built to run easily and with little effort
Now the government has also gotten into the action with Net Neutrality.
The Register’s take on Net neutrality:
http://www.theregister.co.uk/2015/03/13/net_neutrality_rules/
So we come back to Cyber risk: No computer system is ever or will be truly secure. I hope you understand this.
How can we be legally compliant to the responsibilities of shareholders?
Only way to fully understand the latest compliance methods and regulations is to understand what your company may be subject to. HIPAA, PCI, financial (SEC, NASD, and more). If you are not aware of these regulations and then something would happen that is not a good defense in a court of law.
Even with compliance it of course does not make your systems secure, all you did was check the box for any legal attacks on you.
The article points out that here are 51 different breach notification laws at the state and territorial level with different definitions. When all of your security efforts did not work and a breach occurs there are yet more legal necessities to execute.
This is what i call the “Crisis of Thinking” If you want a website or want to sell products and accept credit cards it is no longer as easy as to contact the bank and set up the merchant account with your bank account.
Now PCI compliance rears its head with multiple requests and requirements.
Do you want to help the community and start a small doctor’s office? You will get the double whammy of HIPAA and PCI.
Everyone wants to connect to the Internet, and it is not just a “want” but a need more and more.
So who is under the understanding that nothing is secure, but you have to use methods and equipment to help you as much as possible just to barely stay afloat?
Check out this post: for help in devising better cybersecurity:
http://oversitesentry.com/more-sophisticated-attacks-we-must-up-cybersecurity/
http://oversitesentry.com/contact-us/
1 thought on “#Cyber Crisis of Thinking”