Would you sleep at night knowing your business is only protected from cybercriminals during regular banker’s hours?
Apparently the bureaucrats in Ottawa thought that plan was just a-okay(or is that ‘eh-okay’?) for this country’s entire IT security strategy.As detailed in our source story from the Globe and Mail, therecentauditor-general’s report really stuck it to the feds’ cybersecuritystrategy, pointing out that the Canadian Cyber Incident Response Centre(CIRC) only monitors suspicious stuff from 8 a.m. to 4 p.m.
Coincidentally, Ottawa announced shortly before the A-G’s report cameout that CIRC’s hours will be extended to 15 hours per day. So ifyou’re a hacker, now you only have a daily nine-hour window when noone’s really minding the store.
In fact, Liberal safety critic Francis Scarpaleggia even wondered aloudwhy CIRC isn’t held to the same operating standards as, well … a store:“If 7-Eleven and Couche-Tard can stay open all night, why can’t theIncident Response Centre?”
We dialed up security expert Tony Busseri for his take on the report.His main takeaway? After spending over a decade (and hundreds ofmillions of tax dollars) to develop a cybersecurity strategy, Ottawahas done far worse than most businesses in moving to keep its data andnetworks safe.
“The Canadian federal government’s (cybersecurity) response and programis an example of what businesses shouldn’t do,” said Busseri, CEO ofToronto-based IT security firm Route1.
Example: after two key federal departments (rumoured to be Treasury andFinance) were hacked in January 2011, an investigation discovered somepublic servants weren’t storing sensitive information properly orsecurely.
Busseri offered us some tips, based on the mistakes made by Ottawa,that Canadian businesses of any size can use to protect their ITassets.
Use two-factorauthentication: This usually entails a device (like asecurity smartcard that goes into a USB port) plus a passcode enteredby the user. “It’s something you have (the device) and something youknow (the code).”
Honour thy firewalls:“Use a solution where the data’s never going beyond the firewall of thenetwork, not a VPN or a browser-based solution that pulls data fromyour network to a remote access point.”
Look beyond just thebiggest, oldest names: Ottawa repeatedly procures from thebiggest tried and true security vendors, Busseri said, but that’s notalways the best option out there. “They buy big and they buy what’sbeen done historically.”
The priciest securityisn’t always the best: “I think (Ottawa’s) spending enoughmoney. More money doesn’t mean better security.”
Be open to newersolutions on the market: “It’s not that the bad guys aretoo smart. It’s that (the feds) are being really dumb around theadoptionof new technologies.”