CIA: Who is watching out for you?

CIA: Who is watching out for you?

It’s time for IT security teams to be more vigilant and start behaving like the CIA, argues Adam Neale

For most people, the acronym CIA refers to the Central Intelligence Agency, that shadowy organisation that looks after US intelligence matters. It’s the same agency that conspiracy theorists accuse of being complicit in many of the country’s worst moments in history.

For technologists, CIA stands for something completely different – confidentiality, integrity and availability – three things that are crucial to the security of your business.

Let’s break this down. Confidentiality refers to the ability to hide information from unauthorised people. You can do this through cryptography or encryption.

Integrity ensures that data remains unchanged and is an accurate representation of the original documentation. And availability guarantees the information is readily available to authorised viewers.

This triad allows those dealing with technology-based security issues to actually act like a CIA agent and follow the signals sent by a company’s security software.

How do you follow security software signals?

You put the right people in place to monitor security alerts. The best thing an organisation can do is nominate a trusted administrator who is alerted every time a server goes down or a dodgy Russian bride or Nigerian prince sends an email and accesses the system.

The nominated person may be the document owner, a security officer, a manager, or even the GM and they should determine who is on the security list.

Think of the nominee as the bouncer at the door of your favourite nightclub (when you were partying hard through your late teens and 20s). Nightclub security is some of the most stubborn in that industry – you won’t get past them if you’re looking a little suspicious. That is what you want from your gatekeeper – stringent checks and ruthless monitoring of who comes and goes.

This doesn’t always work as evidenced by the atrocious monitoring by Target staff in 2013 when they missed the biggest retail hack in history.

When some bright spark installed malware in Target’s security and payments system to steal every credit card used at the company’s 1,797 US stores, it left customers extremely vulnerable.

Despite some of the most rigorous security measures undertaken by any global entity and alerts from security company, FireEye, that looks after the Pentagon, Target’s security officers missed their mark.

In fact it wasn’t until they were alerted to the breach by the US Department of Justice that they knew anything was wrong. This is despite FireEye’s alerts from 30 November and more from 2 December, when hackers installed yet another version of the malware.

Those alarms should have been impossible to miss. The signals went off before hackers had begun transmitting the stolen card data out of Target’s network.

So what happened?

Someone in Target’s security team feel asleep at the wheel, missed the signals and cost the company hundreds of millions in compensation to the 70 million customers who had information stolen.

Moral of the story: be vigilant and put the right people in place who can uphold those values of confidentiality, integrity and availability.

You need protocols

Think of the protocols of a security company. They install an alarm, which is activated and a representative will either come out to your location or call you.

The security monitor in these organisations knows what the role is and carries it out efficiently. This is what you want from people looking after your IP: the need to understand what their roles are and clear guidelines to follow when the signal goes out.

If you have multiple documents that require protection, put in place a range of different alert administrators and default actions. If a document is shared inappropriately, you can turn off the sharing, override it and then reauthorise. You need flexibility, because the document still needs to go to the right people.

For most business owners it is difficult to see when information has been shared by or with nefarious sources, yet this is where security must be top of mind.

It is unlikely that SMEs and even larger businesses will have breaches the size of what occurred with Target, but breaches can and do occur every day. It is time to be a little more vigilant and start acting like the CIA.

Adam Neale is chief operating officer at EB2BCOM.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

Tags ciasecurityUS Department of Justicecentral intelligence agency (CIA)pentagonFireEyeEB2BCOMIT SecurityTarget

More about Department of JusticeFireEyeUS Department of Justice

Show Comments