‘There is no security on this earth; only opportunity.’
General Douglas MacArthur fought in three major wars (World War I, World War II and the Korean War) and accepted Japan’s surrender on September 2, 1945. He knew a good bit about security in relation to the 3 mediums of the day – land, sea and air but his quote above holds true today in the fourth medium; the information plain.
Information is a weapon; modern Generals will tell you this and confess that in relation to logical information and the world wide web, it provides the greatest of all strategic vulnerabilities to a first world country in an A-symmetric war against a poorly funded and resourced but motivated and intelligent enemy.
Why? Because a determined enemy with the most simple of IT resources and connectivity can act as a force multiplier, fighting ‘well above his weight’ on a battlefield who’s weapons are only constrained by the technical capabilities of a given individual, organisation or state. The ‘opportunities’ to inflict lasting damage on infrastructure, operations and business from the other side of the globe, using a man with a single finger on a button, are greater now than at the height of the Cold War.
If countries and states can be threatened by such actions then commercial organisations (from large corporations to ‘one-man-bands’ in back bedrooms) are at just as much risk from information security breaches.
So how can comparatively small enterprises secure themselves against threats that have brought down states (e.g. Georgia in 2008) – services, technologies, restrictions, physical barriers?
These all have a part to play but the key to success is a word that you don’t see very often, if at all…….in fact …………ever, in relation to information security; DYNAMISM.
To employ a ‘barrier’ type approach to information security is to engage in single dimension ‘trench warfare’, blindly employing services, technologies and standards without understanding the enemy. Organisations must continually manouevre and evolve in response and more importantly, in anticipation, of the ‘opportunities’ that are ever present to the security of information.
Engaging a well communicated, adequately resourced and systematic approach to the vulnerabilities posed to an organisation will ensure that ‘opportunity’ is restricted. MacArthur, no doubt, would have advocated the principles of defence:
DEPTH. A multi-layered approach to the assessment of threat, detection of vulnerabilities and action to resolve breaches is essential; providing depth; a period of ‘stand-off’ so that if one asset is compromised there is not a complete breach of information assets. The use of such services and technologies as ensuring up-to-date patches for software, redundant firewalls, loadbalancers, failover server solutions in multiple datacentres, access control (both physical and logical), encryption for some or all assets and regular penetration testing.
ALL ROUND DEFENCE. Continuous and active assessment of where the vulnerabilities lie in relation to an organisation’s information assets. Threats will continuously change and evolve and in order to remain best protected all opportunities, from all angles must be considered, identified and controlled, constantly.
MUTUAL SUPPORT. Complete and continuous communication of an organisation’s up-to-date approach to information security to all members (normally via an Information Security Policy) will create the conditions for a unified approach to information security threats. In addition, the maintenance of relationships with information security specialists, in order to stay abreast of emerging threats and proactive actions.
RESERVES. The use of a rehearsed, documented and resourced Business Continuity Plan that could employ failover capabilities; available via such technologies as cloud environments or hosting in multiple datacentres as part of a Disaster Recovery Policy.
OFFENSIVE SPIRIT. Remain pro-active and plan for the worst case; just because a threat has not been experienced, does not mean it should not be taken seriously: prevention is better than cure.
DECEPTION. ‘obscurity is security’ – the control of information inside and outside an organisation is paramount to the maintenance of a secure information environment – the use of access privileges, password protections, encryption, disposal procedures and the like reduce the threats posed by information loss.
In summary, to consider information security in relation to a safe or padlock is to present an ‘opportunity’, a sitting target. In order for organisations to provide information security for their assets they must remain dynamic and embrace constant learning and evolution to tackle the ever changing threat.