A call to arms for infosec professionals
by Brian Honan - CEO BH Consulting - Wednesday, 10 April 2013.
An old saying says “nature abhors a vacuum,” meaning that in the absence of something nature will find a way of filling that gap. We are currently witnessing the same phenomenon in the information security field.

Information security has grown from being a small subset of IT to now being something of critical importance, not just to organizations but also to industries, economies and nations. As we become more and more dependent on the Internet, and computers control more and more of our daily lives, they also become a bigger risk to the stability of our businesses, economies, and our critical network infrastructure.

These risks have been recognized by governments around the world. US President Barack Obama has stated that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” Jonathan Evans, head of the UK’s secret service MI5, highlighted in July 2012 that the online threat to the United Kingdom was comparable to that posed by terrorists and said there were "industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organized cybercrime".

Yet despite all this rhetoric about computer security, there is still a lack of clear leadership on how to deal with the problem. Various countries have published their cyber security strategies, yet many have not shown any evidence of implementing those strategies in any demonstrable manner. We have seen individuals appointed as cyber security advisor (or tsar) positions in a number of countries, who then quickly resign and cite the lack of resources and support as obstacles to fulfilling their roles effectively.

The Convention on Cybercrime was one of the first treaties developed to enable an international legal framework to deal with online criminal acts. However, since its adoption by the Committee of Ministers of the Council of Europe in 2001, only thirty of the forty seven countries who have signed the agreement have actually ratified it and made it law.

Many businesses are also failing to tackle this important issue. Not a day goes by that we don’t hear about another company suffering a security breach. Many of these breaches are avoidable, as shown by Verizon’s Data Breach Investigations Report, which highlights that of the breaches investigated in 2012 nearly 97% of them were avoidable using simple controls.

While many countries and organizations are failing to deal with computer security, others are seeing this failure as an opportunity. Criminals are quickly expanding their operations into the online arena, and they see the Internet as a fertile environment for making large amounts of money. Activists are using the Internet, and in particular social media, to publicize their causes and promote their messages. Hostile nation states, industrial espionage groups, and dissident groups are also looking to exploit our inability to work together to secure our systems.

Another group taking advantage of the confusion and lack of understanding in this arena are large lobby groups working on behalf of the defense and weapons industries. It is in the interest of these lobby groups to highlight the threat from online based attacks and look for governments to invest money and resources in this area.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th