The designation of CSO — chief security officer — is already becoming a reality in the wake of the Sept. 11 terrorist attacks in the United States, a security consultant says.
James Cavanagh, global telecommunications consultant with The Consultant Registry, says that threats and risk to IT security can be both very obvious and subtle, as can the impact of events that are the result of bad network security.
Cavanagh was in Toronto Thursday as part of a road show sponsored by Telus Corp., and says the most obvious effects of poor security on an organization are financial loss and a loss of productivity. Those losses are very easy to quantify. More indirect effects of a security breach can be lost business opportunities, loss of brand value and reputation, and even loss of stock value.
Additional losses can include legal liability. Even if your own system did not suffer any damage, says Cavanagh, you can be held liable for your system being used as a launching pad for an attack on another organization.
But most importantly, it can irrevocably damage trust, says Cavanagh. “Trust is something that has technical definition and a non-technical definition,” he said.
On a technical level, trust can mean what applications and/or users are allowed access certain parts of the network — i.e. trusted applications — but trust is also what people –whether it is users, customers or partners — put into a network infrastructure or the organization.
After the devastating attacks on the U.S. last week, “We’re really feeling a sudden breach of trust,” says Cavanagh.
“National security is rarely compromised all at once,” he added. Often security breaches are taking place a bit at a time.
One of the concerns voiced immediately after the toppling of the World Trade Center towers in New York and the attack on the Pentagon, was the possibility that terrorists may have come through Canada to the U.S.
According to Cavanagh, Canada has a very good reputation in the world when it comes to IT security. In fact, recently-enacted Federal legislation regarding privacy in the Internet age as been praised by the European Union, says Cavanagh. They’ve even taken some of the wording for their own legislation.
As for Canada being a haven for cyber terrorism, he says, “I can’t think of country that hasn’t been called a hotbed of cyber terrorism. This is a global problem.”
Of course the most high-profile threats to IT security are hackers, and their motives and abilities can differ. At the lower end of the hacker pyramid, says Cavanagh, is the novice, often know as “script kiddies”, because while they are very computer savvy, they are often using tools developed by other, more experienced hackers, to plague Web sites with denials of service attacks.
Above them are the intermediate hackers, says Cavanagh. Intermediates tend to be professionals and use script kiddies as a cover. At the very top of the ladder are the elite, who are very careful not to attract undue attention to themselves, unlike young amateur hackers, who have a tendency to gloat. Canada’s own Mafia Boy was caught because by bragging to someone online who he thought was a 16-year-old girl, not an agent for the FBI.
To come up with a successful IT security strategy, Cavanagh says companies have to do a risk assessment and every organization has different needs and vulnerabilities. “We need to do the job before the event happens.”
Some risks are common to particular industries, so companies should talk to each other, says Cavanagh. Common sources of risk are competing businesses, espionage, idealists and extremists, but at the end of the day, there are always going to be some unknowns: “We don’t know and we have no way of finding out.”