“Trust no one” ─ at least in the cyber world. With the continued reports of high-profile data breaches at big-name companies, it seems like the only safe course of action.
Last week Peak 10 technology partner Cisco launched its annual security report. Not surprisingly, it noted that cyber-crime is increasing and cyber-criminals are becoming more sophisticated in their attacks. With the constant barrage of threats, it is increasingly difficult for IT security to keep up.
That presents a Catch-22 of sorts of many companies.
Cloud computing, BYOD and other trends are critical to many businesses’ success, but they also open these companies up to greater security risks. At the same time, the cyber-criminal network is strengthening and operating more like a legitimate, sophisticated business network. Cyber-crooks know how to look trustworthy but act otherwise.
Who Can You Trust
The Edward Snowden matter hasn’t helped, raising concerns about the presence and risks of unintentional vulnerabilities and intentional “backdoors” in technology products. The revelations about the National Security Agency’s mass data collection program have also eroded trust between countries, between governments and the private sector, between citizens and their governments and between citizens and organizations in the public and private sector. It seems it’s not safe to do business with anyone at any level ─ at least online or in the cloud.
What it comes down to is a lack of trust.
As the Cisco report points out, insiders are using their information-access privileges to steal intellectual property from their employers. Malware is being delivered to users legitimately browsing mainstream websites. Spam emails appear to be sent by well-known companies but link to malicious sites. Third-party mobile applications, downloaded from popular online marketplaces, are riddled with malware. Counterfeit IT products, masquerading as premium goods, often include hacker-friendly backdoors and other exploitable weaknesses. Cyber-criminals use the trust that exists between organizations to exploit one trusted business partner in order to target and exploit another unsuspecting trusted business or governmental partner.
In essence, security professionals cannot and should not trust any network traffic. Not surprisingly, they are hesitant to put much faith in the security practices of their technology vendors.
Ask the Right Questions
So how do we get back some level of trust in our technology vendors and products? There are no easy answers. The Cisco report does recommend that companies seek out technology vendors that are willing to be transparent and forthcoming in terms of how they will defend their products against security breaches.
How often do they upgrade their security software or patch vulnerabilities? Are they using the most sophisticated tools available to thwart attacks, or at least detect and stop them while in progress? Are their products frequently tested to see how they fare against the latest threats? If the vendor offers cloud services, are those services compliant with leading US and international regulatory requirements which often entail leading-edge security best practices? Are tried and true managed security services available to supplement existing security features?
Trust matters, but a company’s promise is insufficient. Verification of the trustworthiness of technology products and the vendors that supply them is essential.
It is also incumbent on companies to be vigilant about their own security policies and processes. Who has access to the network and what is the extent of their access privileges? Are employees trained in the latest security protocols?
There’s still room for trust in the IT world, but don’t let your guard down just yet.