If a team of mastermind computer experts wants to hack your company’s network, it probably will. But
if any rookie hacker with some time to kill can crack your system, that’s a problem. And the problem doesn’t start with poor technology; it starts with management.
Take, for example, the series of hacks on Sony (SNE) that began in April: they were launched by a prank hacker group called LulzSec, which used a method so simple that a high school kid could master it, says Phil Blank, senior security analyst at Javelin Strategy & Research.
In response to the attack, Sony revamped its security management. In May, the company appointed Sony Global Solutions president Fumiaki Sakai as acting chief information security officer — a position the company didn’t have before.
In fact, many companies have created top-level positions for security information officers, and that’s an important first step, Blank says. While security officers may not be able to prevent highly sophisticated attacks, they can help protect companies from simple security breaches. Perhaps their most important job, according to Edward Amoroso, AT&T’s (T) chief information security officer, is to integrate the security department with the rest of the company, which is no simple task.
Like IT employees, information security types tend to speak in a somewhat geekier dialect than the rest of a company’s rank-and-file, one that can be hard for many executives to understand.
But, perhaps out of necessity, executives are becoming better versed in security lingo, Amoroso says: “We’ve seen some attacks in the last six months that have shaken the very foundation of some of the firms involved. There’s no question that computer network security is becoming a board-level issue.”
After putting someone in charge of the security effort, the next step is to include the security team in projects from the get-go. This is important, Amoroso says, especially as disparate branches of companies explore new technology. Often, he says, security experts will discover a breach in a project they didn’t even know existed.
While a company’s brass must make information security a priority, security personnel also need to meet management half way by making their messages interesting and accessible, Amoroso says. “We’ve all gotten those serious, three-page memos from some IT administrator, but by the third sentence, you don’t know what they’re talking about. That’s not the way to do awareness.”
If done effectively, employee awareness can help prevent basic attacks. Employees often make simple mistakes like clicking on a foreign attachment or a link with a strange URL, which allows hackers to access a company’s information.
These small mess-ups can cause a disproportionate amount of damage. Once inside the system, hackers can compile seemingly discrete pieces of information — account numbers, birthdays, email addresses — and cross-link them to launch fairly complicated attacks, says Blank: “The days are now gone when people could decide what information is worthy of protection and what is not.” Instead, you have to protect it all.
Blank says that managers can help prevent less sophisticated attacks by hiring benevolent, or “white hat,” hackers to try to crack the system. This gives the tech staff a heads up to potential problems before they’re rooted out by less benevolent hackers.
There’s no way to secure everything, of course, but companies can prevent low-level hacks by taking a few simple steps. And with web-based applications and mobile devices practically de rigeur in the corporate world, security discussions will need to become even more common among the executive set.