Author Christine Vanderpool – Chief Information Security Officer, Molson Coors
When I was a child, I absolutely loved the cartoon Scooby Doo. But then, who didn’t? I loved how the bad guy’s plan was always foiled by those meddling kids. The best part had to be how the villain was always the most logical answer. It was never truly a swamp monster or the ghost of a coal miner. It was always Farmer Johnson or Old Man Pete. Isn’t that still true in most day to day cyber-attacks that occur in the corporate world today?
Yes, there are those highly sophisticated attacks that we hear about in the news almost daily but what about the non-glamorous, small attacks which can be just as harmful and expensive to a corporation? In today’s world, Security experts are spending a large amount of time, money, resources, etc. on tools and processes to detect and prevent external attacks. This is a smart investment but does not mean they can take their eye off the internal threats of the company.
Most companies today, especially those with compliance requirements like SOX and PCI, have strong internal controls and are performing monitoring activities against those controls. But is that enough? If I keep spare change in a jar in my kitchen but never really know how much is in there at any given time, is it likely that someone from the outside is going to sneak in every night and steal a few nickels and dimes here and there? Or is it much more likely that my young son is going to take advantage of the fact that I do not count that change on a regular basis?
So, how do I deter my son from taking advantage of the spare change in the jar which is not there for his taking? First and foremost, I need to educate him on stealing and how it is the wrong behavior. After education and training, I need to reward him for doing what is right. Beyond that, I can put rotating controls in place such as locking up the spare change or counting it from time to time and posting the tally. Similarly, companies need to educate and train their users, encourage the right behavior and continue to mix up when it comes to controls. Stagnant controls become just as toxic and dangerous as untreated water in a pool and make it hard to detect what lies beneath. A great example of a stagnant control that has been front and center in some of the recent cyber incidents is password controls. The standard 8 character password with a mix of letter and numbers and such add complexity but if the id and password is compromised or stolen, the complexity is a moot point. To mix it up, other authentication controls should be considered and implemented like two-factor authentication. As the meddling kids of the IT world, it is the job of the IT Security leaders and practitioners to continue to explore and address internal threats as much as external ones. We must continue to examine and audit our internal controls when it comes to internal threats. More importantly, we must continue to mix it up and change things so that it becomes more challenging for those familiar with the way things work to take advantages of any known weaknesses in the process. Lastly, it is important to remember that if we spend all of our focus trying to catch the ghost scaring away all of the customers thinking he must be this external unknown force; we may miss the fact that the villain was the inn keeper all along.