The next time you need to make a decision involving the security of your company’s data, it may be a good idea to rethink your approach before you launch into action.
That was one of the messages coming out of the SC Congress conference in Toronto on June 11, which advised IT professionals on tackling thorny issues like protecting sensitive data. One of the most important ways to do that is to measure the level of risk to your particular company and to assess where those risks may be coming from, says Curtis Levinson, who advises NATO on behalf of the U.S. on cyber security.
Levinson frames the question around mapping out a supply chain. For example, how do we know where all the components in our smartphones have come from? Where was the phone made? What kind of software went into each chip within the phone?
“Everyone has a supply chain for everything. When you order a hamburger, and the burger is on your plate, there is a supply chain that led to that burger being on your plate,” he says. “Most of us don’t want to think about it, but if someone wanted to poison the food supply, they could go all the way back up to the supply chain to the feed the cow was given and put mercury in the cattle feed.”
“So when a bad actor is looking at a cyber attack, where to attack? Do you attack the strongest, most armoured parts? Or do you go somewhere back up the supply chain that isn’t so secure?”
While a computer is most protected once IT administrators start installing anti-virus programs and various safeguards, it is at its weakest point when it is being manufactured or when it is just a collection of different parts, Levinson says. And since companies are attracted to buying less expensive pieces of hardware from regions like Asia, it’s more likely those components could put them at risk if there is something unsavory hidden inside them.
IT employees need to enumerate the number of supply chains within their companies. What they find may surprise them – and only then can they start applying technology correctly to mitigate risk, Levinson says.
“Even the most technically astute people are not necessarily aware of the supply chains associated with their Internet service, with their hardware, with their software, with their vendors, with their service providers, with their contractors,” he says.
That’s one way of looking at it, said Peter Davis, who heads Peter Davis and Associates. He also believes it’s important to evaluate your risk first, but he adds if you’re going to make any important decisions, you need to avoid just “going with your gut.”
These days, a lot of companies are preoccupied with managing the bring your own device (BYOD) trend in their workplaces. While some IT administrators’ initial instinct is to bring it into the office as a cost-savings strategy, others would dismiss it out of hand as a huge risk to security. But either way, Davis recommends making a decision based on past numbers from your company’s history, running them through a program and modelling the data to estimate what the future might look like.
“Unfortunately, security people don’t like to do probabilities, they talk about possibilities and controls,” Davis says. “Using a methodology that is not quantitative risk, you’re probably no better off than using intuition.”
He sits down with clients and asks them for their own figures on things like how many corporate devices have been lost or stolen in a given year, how many of these devices contained sensitive data, how much revenue was lost, and so on.
He then maps out a scenario for a company using a program like the Factor Analysis of Information Risk model, allowing IT administration to make informed decisions.
“All business decisions follow risk,” Davis says. “When you start to build scenarios and work the numbers, then you start to see attitudes change, because now we actually have real data … At some point you’re going to have to do some analysis.”