I read an article recently in which the author was lamenting the “still-unstable and security-challenged [technology] world.” The threat to electronic data from cyber attacks is very real, and many say the threat is growing. Because technological advancements come at such a rapid rate, especially in the data security space, organizations must react just as rapidly, or else face the consequences. In other words, in the fast-evolving world of cyber threats, we do not have the luxury of waiting.
Many organizations are devoting more attention to an enterprise-wide approach for data security. The necessary first step in this process is to ask some questions in order to better understand your data flows, such as:
- How do we track what data is leaving our organization?
- How do we track what data is coming into our organization?
- How do we know who is really logging into our network, and from where?
- How do we limit the information we voluntarily make available to someone who could potentially pose a cyber threat?
- How are we storing data within our organizations?
Formulating answers to questions like this will help an organization truly understand the strengths and vulnerabilities (yes, you will find vulnerabilities; no system is perfect) of its data security measures. You need to examine everything—the equipment, the software, the network architecture, etc.
I urge you resist the temptation to fall back on the old adage that says “if it ain’t broke, don’t fix it.” Why? The answer is provided by Ralph Langer, who I will introduce in a moment:
Security is a function of the degree of control that is exercised on the given system and its environment. ‘Control’ is expressed in the various technical and procedural restrictions that are enforced to limit manipulation of industrial control and safety systems to what is planned. In a system-centric view, without looking at externalities like threats, the root problem of cyber insecurity and fragility is that more things can happen than planned—i.e., unintended consequence can result from unplanned and unfavorable, and even from planned and well-intended events.
Once you gain an understanding of your system for transmitting electronic data, you need to develop a comprehensive data security program. To devise your data security program, you could use the “risk management” approaches proposed by the federal government through its “Cybersecurity Framework.” Or you could use an alternative approach formulated by Ralph Langner.
Langner, who is best known for discovering how Stuxnet actually altered the logic in the Iranian’s nuclear program, contends that risk-based approaches to security are not based on empirical data: “Risk parameters are far from hard data that could be objectively measured (which is the simple reason why risk is assessed rather than measured).” This, according to Langner, often leads to flawed results:
The basic assumption embedded in … all risk formulae is that unknown future events of an unknown frequency, unknown duration, unknown intensity, from an unknown assailant, with unknown motivations, and unknown consequences are quantifiable. Consequently, if one thinks s/he can measure the risk, the mistaken conclusion is that one can manage the risk.
Langer doesn’t just criticize risk management approaches. He also offers his own approach, called the RIPE Framework, which is based on an organization establishing its “security capability” as a precondition to establishing “security assurance.” Take a read; it’s pretty interesting and insightful.
Finally, you should consider deploying secureXchange as part of your data security program. It allows you to monitor and track how data moves throughout your organization and trading partner community so you can effectively manage and protect it. To get more information about secureXchange, please send a confidential inquiry to firstname.lastname@example.org.