Part 1: The Landscape of Internet Security in 2018
It seems that each new day brings startling new statements, broadcast loudly from internet security vendors. Statements like “It’s not a matter of if but when”, or “60% of websites are infected”, or “40% of ransomware victims declare bankruptcy”, or “The average discovery of infections in a business is 91 days”, or “FBI recommends not paying bad actors”. We’ve all heard them, and the list goes on and on. They must have some truth in them, as they come from large respectable companies! What is a business person to do? Are we all to go broke buying security solutions??
At a recent seminar, I met an internet security professional with an interesting approach. When I asked him how he helps his clients, he says he starts with a simple set of initial questions. This is what he asks his clients:
- What are your assets that need protection?
- Do you know if you are infected now?
- What would you do if you were?
- What resources do you have?
- What are you doing to improve?
Ok, so to figure out what assets (Question 1) you need to protect is probably simple enough, but things can quickly get complicated. The opposite of an asset is obviously a liability, and you probably are not aware of all the new and proposed regulations and penalties concerning data protection. In other words, you may know what assets you’d like to protect, but are there other assets you’re now required to protect by law?
Corporate responsibility is key here and as always, “ignorance is no excuse”. Lawyers are salivating at this large new market for their services. Insurance companies are struggling to adjust. Regulators are politically motivated and aggressive. Enforcement agencies are hard to get a read on for various reasons. So one asks a legitimate question: How do I reduce or better yet, eliminate exposure?
Questions 2-4 are probably covered with a combination of next-gen firewall, anti-virus/malware and network/certificate plays. They may or may not be up to the task. How does one know? Do you ask your already overworked IT resources?
Question 5 is a work in progress. The fact that you’re reading this exhibits a curiosity which needs to be encouraged. The tools for “best practices” security are not just technical. They include use of publicly available standards such as NIST (National Institute of Standards and Technology). Insurance is becoming more adaptive and useful. Company policy development is a must. Many of these can be done without significant costs.
I’ve given you a number of questions to think about — questions which I will help you to answer in subsequent posts, but for now I will leave you with a chilling thought: If you were a victim of ransomware and after paying 10 Bitcoins ($100,000 US approx. as of this writing!) your files weren’t restored, what would you do? By now your IT support has been sending your calls to voice mail. You may have called the police. You have searched around and become confused as the pressure mounts.
You madly search for an answer, and aha! a Solution! There are companies that specialize in this who employ both good and bad actors and can recognize a hacker’s work and have the skills to restore your data. Big bucks but what is the alternative?
The alternative is don’t get there in the first place and this requires some serious work. More on that in my next post: Part 2: Five Areas for Complete Internet Security Coverage. After that, check out Part 3: What to Expect in the Security Assessment.
This is the first in a series of internet security posts which are intended to assist security aware business people. My name is Bruce Thompson and I have been in the telecom and IT industry for over 30 years and have numerous security certifications from industry leading vendors and associations. This first entry is to attempt put the landscape of internet security in 2018 into perspective for you.