Speakers at an IT security briefing in Ottawa Tuesday said companies should not only ensure their networks are safe from external attacks, but they should now be concerned with the growing risk of internal ones.
William Crowell, president and CEO of security software maker Cylink Corp. in Santa Clara, Calif., said there isn’t one overall security solution that will take care of the issue in this turbulent post-9/11 world.
“We need to think of defense in depth to be able to contain breaches, and not depend on a single line of defense for fear of failure,” he said, speaking to an audience of about 115 CIOs at the Sheridan Ottawa Hotel.
Crowell said many companies rely on a “rear-view mirror” approach to security. That means they overly focus on things like anti-virus and intrusion detection software, which are programmed to react to past security issues that keep cropping up, not new attacks cooked up by criminals.
Both Crowell and Tom Stutler, a spokesman from the Federal Bureau of Investigation’s (FBI) National Security Division, cautioned against the enemy within: disgruntled employees or even corporate spies. Stutler said the latter work for North American corporations while usually contracting their services on the side to other businesses — usually overseas — looking for the same piece of the pie. Their end goal is to poach client lists or top-secret technical information.
Without naming specific countries, Stutler said the FBI knows of 23 nations who engage in economic espionage with North America.
Thus, Crowell said it is essential that finance-based Web sites start engaging in two-way authentication (either passwords or digital signatures) to protect data from all sorts of prying eyes.
Crowell also emphasized that executives should be paying closer attention to high-level hackers — the ones they don’t hear about in the news because they almost never get caught. These criminals are usually smart and patient enough to steal information one byte at a time, without leaving a data trail alerting to their presence.
“New threats are showing up all the time,” added Crowell, “like organized criminals who take information from companies in hacking attacks and then go back to them to prove that they can steal this information.”
Stutler noted most companies can help fight cyber-crime by disclosing monetary losses from hacks. He said law enforcement agencies are more likely to obtain extra government funding to fight the problem if they know exactly how bad it is.
Crowell also predicted “the greatest source of loss of information will be from wireless networking in the coming year,” in the rush to implement that technology. However, he didn’t have anything further to say on that topic.
The security briefing, hosted by the RAM Group, will take place in Toronto on Wednesday.