1 / 18

Ch 8: Security and Business Continuity

Ch 8: Security and Business Continuity. Protecting Corporate IT against Malice and Disaster. AJ Raven. Agenda. The IT security problem. Protecting against malice and disaster. Why technical safeguards fail. Security as exercise in business tradeoffs. Jargon Decoder.

bakern
Download Presentation

Ch 8: Security and Business Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch 8: Security and Business Continuity Protecting Corporate IT against Malice and Disaster AJ Raven

  2. Agenda The IT security problem Protecting against malice and disaster Why technical safeguards fail Security as exercise in business tradeoffs

  3. Jargon Decoder • IT security breach: Maliciously making a system inaccessible or stealing sensitive data or IP • Security tradeoff: Increasing IT security inconveniences users • Social engineering: Tricking a legit user to access a system • Security credentials: Something you know, have, or are • Continuity planning: Tactical plan to resume operations if IT portfolio compromised

  4. IT: The Vulnerable Engine of Business

  5. The Security Problem • $4 million Average corporate IT breach costs • 5 months to recognize a breach • 8 months free reign after hacker breaks in • Industrial espionage costs = $½ trillion/ year = Austria’s GDP • Mega-breaches <10 million records increasingly common • IT security not strategic but failings can threaten survival • Penalties: • Paralyze operations • Compromise sensitive information; reputational damage • Survival • Widely underreported: liability, negative publicity, cannot prosecute • Strongest technology cannot contribute what non-IT managers can

  6. Cost of one stolen record varies by industry Less regulated More regulated $ Cost of a single breached record

  7. The Myth of Secure IT • Two Broad IT Security Problems • Denial of service • Hacking – social engineering or brute force attacks • Secure computing = myth • Aspiration should be: • Acceptable security • Resilience to bounce back without excruciating losses • IT unit responsible for executing IT security but… • Some IT assets need more protection than others •  Business judgments • Must come from non-IT managers

  8. Where non-IT managers can contribute Motivated to exploit or alter data • customer information • trade secrets • intellectual property IT unit must know:  explicit guidance from non-IT managers • What data and apps are more critical • Security-convenience tradeoff acceptable to business users

  9. Case: How Target became the Target Sidebar – not included in these slides

  10. Why Technical-only Approaches Fail IT is secured using… Multifactor authentication Outside attacks focus on these Technical safeguards:  credit card industry inspired approaches • intrusion detection (scan for suspicious patterns) • intrusion prevention (block access) Defenseless against • Legit, socially-engineered passwords • Social engineering – easier to fool a human than a machine • Rouge insiders – even fingerprints, retina scans (e.g., Snowden incident) Technical-only approach • Overemphasize identifiable risks  Lulls firms into unfounded complacency

  11. 5x Non-technical Security Vulnerabilities • Treating it as a technical, IT unit problem • No safeguard against #1 risk = human blunders • Overlooking insider threats • Defenseless against disgruntled employees or inadvertent slipups • Porous inter-firm boundary with business partners • Connected partners makes data more valuable but more vulnerable • Increased connectivity  weakest link defines vulnerability • Convenience-security imbalance • A business—not technical—decision • Internet-of-things • Computationally lean devices, large data traffic makes them vulnerable

  12. Insider Threats: Safeguards Needs stronger internal controls and user awareness IT access policies tailored to your firm • Who can access what data, what they can do, and when and where • Simplest approach: Tiers of access privileges • Generic security policies = generic protection • IT unit should only implement—not create—them Six other practices • Monitor (transparently) for suspicious activities • Encrypt data in transit and storage = gobbledygook if accessed • Wall off systems with truly sensitive data • Unlink sensitive data from other data • Anonymize sensitive data if only aggregates needed for analytics • Refrain from collecting excessive data just because you can

  13. Prepping for a Security Crisis Non-IT managers play an integral role • Requires skills rarely used in day-to-day activities • Advance dress rehersal: To respond internally and externally to minimize damage • Swift response: Sloppy response more damaging than breach itself • First few hours count most • Long-term focus: • Matters more how it’s handled • Reassuring customers how it will never repeat • Misinformation backfires

  14. Business Continuity and Disaster Recovery • Redundancies and backups kick in if a piece of hardware fails • Business continuity planning: Unexpected disruption of entire environment • Hurricanes, blackouts, fires, floods, earthquakes, or other Acts of God • = insurance against the worst (like your car’s spare tire) • A tactical plan for resuming your operations after a catastrophe • Boils down to risks that can derail your revenue stream • esp. primary value chain activities in every line function • Relies on a backup site

  15. Hot, Warm, or Cold Sites Fully operational replica of mission-critical IT assets Cost Hot site Harder for custom-built IT Costliest No hardware or software Warm site • Mission-critical apps • Hardware • Lagged data Cold site Cheapest Switchover speed Weeks Days Hours Choice depends on what makes business sense

  16. Non-IT Contributions to Continuity Planning 3 questions determine ongoing costs acceptable for scope and responsiveness • What IT assets are critical? • Mission-critical IT apps and data (can stall revenue-generating activities) • Begin with vulnerable primary activities in your value chain • Include employees, contractors, and business partners • Prioritize key IT assets individually • Recovery time objective • How long can you withstand interruption in each of them? • How quickly before irreversible loss of public trust? • Recovery point objective • How old can the recovered data be? • How much data loss tolerable? • Remember: IT systems produce most Federal compliance data

  17. Summary • IT insecurity unavoidable – comes with value-creating connectivity • Risks derailing firm operations; business survival; public trust • Breaches mostly human failings • Humans more “hackable” than machines • Overconfidence in technical solutions = naïve • Security  IT’s responsibility or solely a technical problem • Non-IT involvement contributes what IT cannot • Prioritizes what’s worth protecting more • Mitigates business consequences • Strikes the right security-convenience balance

  18. Target – Right after the Breach

More Related