Friday, today is the 14’th anniversary of the Al Queda attack on the US in New York on 9/11/2001.
The world today is more connected, more always-on, more accessible…and more hostile. There are threats from Islamic terror, identity theft, hacking for pay, custom spyware, mobile malware, money laundering and corporate espionage. For those of us working in the fields of risk management, security and privacy, these are all complex challenges in the task of defending a business.
The biggest challenge is the divide between IT and management. It’s similar to the events leading up to 9/11: The FBI investigated and the CIA analyzed, but the two sides never discussed the threats and the potential damage of Saudis learning to fly, but not how to land airplanes.
The two biggest security issues today for a business both from an operational and regulatory perspective are fraud and data loss. An insider, often colluding with an outsider, can cause large scale damage to the business by manipulating transactions. Let’s take two examples – the Israeli Trade Bank case and the Israeli Trojan Horse case.
Fraud – the Trade Bank
In mid 2003, it was discovered that Etty Alon, a bank employee, had embezzled over NIS 250 million from the Trade Bank in Israel. At her trial, she told the Tel Aviv District Court that she did not take any of the money for herself but used all of it to pay off the gambling debts of her brother, Ofer Maximov. The money later turned up in Israeli organized crime and the bank itself went under. To this date, the banks external auditors, KPMG were never charged with negligence for not discovering the attack on the bank.
Executives look at fraud as a risk management / revenue assurance problem and IT looks at fraud as someone else’s problem.
Data theft – the Israeli Trojan Horse
In June 2005, Israel’s biggest business scandal in decades, the so-called “Israeli Trojan Horse” hit the papers. Previously under an investigation for several months,the list of companies implicated included NASDAQ-traded Amdocs, Cellcom, Bezeq, Pelephone and YES (the DBS operator). The victims included Hewlett-Packard and the Ace hardware chain, as well as the Globes business daily, Strauss-Elite food group, and HOT (the digital cable company. By stealing strategic marketing plans, YES was able to stay one step ahead of HOT for over a year and half, causing HOT millions of shekels in lost revenue.
Executives look at data loss as a risk management problem and IT looks at data loss as a select-another-security-product problem.
Working with clients, we try and bridge this gap by working with the director of security (not with IT) and convincing him or her to do a risk assessment with live sampling of transactions on the corporate network. After the risk assessment we can help the VP security and fraud build a business case for the management board. IT play a role as technical evaluators, making sure that the proposed security countermeasures fit the IT infrastructure.
It’s not about security technology. The technology we sell (Fidelis Security Systems XPS) is always a slam-dunk for the technical guys. It’s all about making the business case to the management board in dollars and cents and proving that there is a cost-effective, prioritized risk mitigation plan.
Internal fraud and data loss are philosophically different from intrusion prevention and anti-virus. With anti-virus and intrusion prevention it’s about attackers from outside the organization. With fraud and data loss, it’s about vulnerabilities INSIDE the organization. Etty Alon worked for the Trade Bank – there were no malicious hackers involved. The MO of the Israeli Trojan was basically social engineering – exploiting vulnerabilities of employees who were given a CD with the spyware under the guise of a game. What is the first thing you do when someone gives you a game CD for Windows in the parking lot? That’s right, you want to insert the disk in into your Windows PC on your desk in the office and give the game a spin. In this case, the software on the CD was a keylogger and screen capture program that used outbound FTP to send data to FTP servers outside the network.
Back at the IT ranch, they are talking about IT alignment and IT Governance.
“IT alignment helps enterprises achieve and sustain long-term success through value delivery to stakeholders,” said ITGI (IT Governance Institute) trustee Paul Williams. “To succeed in aligning the business and IT, the CEO and board need to be involved and committed.”
Dilbert could not have said it better.
For more about crossing the security and compliance chasm – read the excellent article on the Control Policy Group blog on the organizational politics of security and compliance.