03 Jun Information security, more than INFOSEC
In the age of mobility, IT security (INFOSEC) – with the cyber security component – is no longer just a technical challenge, and IT managers must also engage in business decision-making. Mobility and digitization are the engines that even push harder IT executives to the business area and guarantee them a strategic position in ensuring the future of the business they need to be involved in.
Moreover, the evidence of the importance of cyber security increased awareness in many companies and public organizations in the United States and the European Union, the role of Chief Security Officer (CSO) – different from the Chief Information Officer (CIO), is increasingly present in executive management, along with the CIO.
“Information security in an organization means more than IT security (simple technical system settings, antivirus and firewall programs); means assessing the situation and making the right decisions, based on the management of an information security management system – SMSI based on policy, procedures, risk analysis, security incidents, and business continuity. In this context, the roles of CSO and CIO (assimilated IT manager) become strategic. Assisting decision-making on the basis of complete, real-time, secure, truthful and unaltered information through internal or external fraud is a major business objective,” says Constantin Caliman, Chief Security Officer, CRESCENDO
CRESCENDO, the IT & C solutions house, is one of Cisco’s first Cisco certified communication and security solutions providers since 2007 – now at the highest level of certification, Gold. And through this partnership, part of its extensive portfolio of solutions, expertise and security expertise, CRESCENDO offers services that meet the specific needs of all sizes companies.
Accessible connectivity increases company vulnerability. Gradually, the benefits of permanent connectivity are being realized and adopted by more and more local companies, bringing about the increase in their vulnerability to cyber attacks.
Gartner estimates that by the end of 2020 the number of devices to be connected to the Internet will be 38.5 billion (IoT) versus 6.4 billion by the end of 2015. In other words, in 2020 every Internet user will connect with 6 devices. However, a large number of companies in Romania have inadequate procedures for information security, a feature identified by an Ernst & Young study from mid-2015.
The National Civic Security Response Center – CERT-RO collected and processed 68,206,856 cyber security alerts in 2015, according to the institution’s activity report.
The security alerts highlighted the following issues:
- A number of 2.321.931 unique IP addresses, 26% of the total IPs for the national cyber space, were targeted by alerts collected by CERT-RO in 2015;
- 088 “.ro” domains were reported to CERT-RO as being compromised in 2015, up 58% from 2014 (10,759). Of the total of 855,997 domains registered in Romania in February 2015, the number represents about 2% of the total “.ro” domains and about 6.5% of the total “.ro” domains;
- 78% (53 million) of alerts collected and processed target vulnerable computer systems, meaning they are insecure or improperly configured. Some of these vulnerable computer systems are used by attackers to launch cyber attacks on other targets and mask identity, sometimes not compromising them, but simply using the services available (for example: Open Resolver DNS servers, Proxy servers without authentication, NTP servers configured inappropriately, etc.);
- 20.78% (14 million) of alerts collected and processed target infected computer systems with different versions of botnet malware, characterized by having mechanisms that allow attackers to remotely control infected computer systems;
- 64% (43 million) of the total number of incidents resulted from the processing of alerts are computer systems that are part of the botnet network, which can be used in the conduct of cyber attacks on targets in Romania or abroad.
The most common types of incidents:
- Web site crackdown caused by outdated and vulnerable CMS platforms;
- Infection of workstations with various malware variants, especially ransomware, caused by accessing malicious links and attachments, on the background of operating systems and outdated applications.
Ransomware is a type of malware (computer virus) that encrypts users’ files (documents, pictures, etc.) and requests a ransom (to pay an amount) to decrypt files and to play the user’s access to them. Ransomware is one of the worst forms of malware as it causes direct financial damage, and virus-encrypted files can not be decrypted.
Digital Age Challenges
Digital transformation becomes a challenge for all companies, whether we are talking about multinationals, companies with a tradition in the industries where they operate, or small businesses just starting out.
The evolution of cloud and mobile technologies increases the need for security management and IT risk monitoring. According to the latest Cisco Annual Security Report, company-generated information is increasingly vulnerable to more and more sophisticated, bold, and longer-lasting IT attacks. Technically outdated infrastructures and outdated organizational structures are the main sources of exposure of companies to attacks.
The average detection time of a computer attack is between 100 and 200 days, according to Cisco statistics. 92% of the executives who participated in the study admit that they are not sure about the effectiveness of the IT security strategy applied in the companies they run. And less than 50% of managers responsible for information security believe that the tools they use are effective in determining the effects of an attack and in remedying and limiting the damage caused.
It is obvious that information security becomes a topic of permanent discussion at the company management level, and the CSO function – including, especially from a security perspective, can no longer be regarded as a business support function. Considering the volume of information transmitted through the information and communication systems – SIC (IT security) within an SMSI (physical security, personal security, document security, INFOSEC, industrial security), the IT manager role in designing, operationalization, development and decommissioning of the information system that processes and business information flows becomes essential. SMSI is a dynamic system. It is not possible to provide total security, but only an accepted level of security synchronized with business processes. In the business world, the higher the risks and the opportunities grow, so the decision maker’s information can come from various sources (mostly from outside CIS).
Changing the mentality can only be done through a culture of organizational security through appropriate rules, policies and procedures by managing an information security management system. Confidentiality, integrity, availability, non-repudiation, authenticity, reliability and timeliness become basic attributes of information. The lack of these attributes may aggravate or damage the decision making process of the Top Management.
IT Director – a strategic role in company development
Ensuring information security in an organization is done by managing an information security management system (SMSI) and training employees (80% of vulnerabilities are caused by their own staff).
Here are some initiatives that can strengthen the strategic position of the Security Officer (CSO) and the IT Manager (CIO) in managing companies, recommended by CRESCENDO specialists, based on the experience gained in dozens of projects that included complex security issues implemented in various industries:
- Identify the vulnerabilities and risks to which the company’s resources are exposed, from internal networks and work devices (computers, laptops, tablets, mobile phones, wireless routers, etc.), desktop and mobile applications (customer relationship management solutions – automation of sales – SFA, company resource planning – ERP or company content management – ECM) to personnel security, documents, physical security, industrial security (classified contracts), property rights, financial resources, etc. ;
- Defining information security strategies in line with industry regulations (standards), with current legislation and business objectives of the company;
- Performing periodic risk analyzes on the level of cybercrime in the field where the company operates, the potential of error or the risk of re-intention from the company’s personnel, threats specific to certain stages of technological development of the company;
- Bringing into question and even proactively proposing solutions for cases of errors that resulted in leaks of confidential information, theft of personal information, viruses or blocking of computer systems.
Ensuring information security in an organization is done by managing an information security management system (SMSI) to ensure:
- managing security events / incidents;
- ensuring business continuity in disaster situations (pandemics, fires, earthquakes, terrorist actions, etc.);
- security culture and responsible use of resources by employees.
Through regular training, the CSO must ensure a security culture and a common language of dialogue between all employees. Together with the CIO, it provides the necessary consultancy to make a correct, complete and real-time decision by Top Management.
“Digitization, technological evolution and the global context require radical transformations with deep implications for companies’ information security. A company’s success on the market may radically depend on IT managers’ ability to secure information while delivering innovative products and services to customers and performing applications to streamline employee internal processes from any device and location,” says Cosmin Marcu , Solutions Architect, CRESCENDO – CCIE specialist, certified at the highest level in Cisco technologies.