In the current business world, we see two major categories of businesses that use security
measures extensively. Firstly, businesses that generate revenue by developing new products and
services for consumers or other businesses. They have their Intellectual Properties and Trade Secrets as the greatest assets that need to be protected. E.g. Electronic device manufacturing companies like
Apple need to keep the upcoming edition designs of iPhone or Macbook secret from competitors, or a
service based company that needs to prevent theft of a unique architectural design of an Enterprise
application for a high paying client company.
While there are other businesses that generate revenue by providing platforms or services to be used
only by the consumers, have identities and individual assets and information of the customers as the
main information asset that needs to be secured. E.g. Banks, digital wallet companies or retail
companies that accept electronic payments and transactions and store card information that are prone to theft. Or even social media that is a big thing today for businesses and organizations and even political bodies who wish to connect with their respective audiences to expand. The recent incidence in India about the opposition party leader's Twitter account getting hacked has attracted too much media attention and probe. Email service providers like Google and Twitter itself has been the center of investigation in such incidences that is not common at all. News Source: Times of India.
The New York stock exchange has been a target of cyber attacks several times that led to great losses to traders and investors. Same is the case with NSE and BSE in India. No serious measures have been
taken against the hackers, although manipulating stock prices or using algorithmic trading or high
frequency trading software to create abnormal trends is an economic crime. The article describes the
various types of attacks on stock markets – https://www.infosecurity-magazine.com/magazine-
features/financial-markets-a-playground-for/
Apart from these there are others that operate with great investments and capital, but their businesses
are not that vulnerable to information theft. For example, oil companies might want to keep secret their next project plans, but that is not exposed to any amateur hacker who hacks online. Also small sized businesses are not too prone to major cyber attacks.
In both the identified business types, the asset is in some form stored or communicated through
electronic means, which makes it vulnerable to theft or breach. In the above two types of businesses,
there has been instances when apart from expert or amateur hackers, the thefts have been orchestrated
by an employee for known or unknown reasons. It is easy to trouble an organization that is highly
sensitive to its reputation with customers. If one manages to get the financial information stolen
through security loopholes that are known to him, he can easily destroy the company's reputation.
Or some employee who either develops or gets the documents containing high level or low level
designs might want to sell it to competitors or other companies to make money.
Policies can be implemented at various levels to keep a check on what is being received and sent by an employee via company network. But since now-a-days, electronic devices used by employees handling digital information are completely mobile and can be carried outside the premises, it becomes a responsibility of the organization itself to install software in those devices that will track the activities of the employee using it prior to handing over that device to the employee. Apart from having firewalls and antivirus software in every device, it is also important to log the actions of the user and the ISP details that the employee uses to connect the company device.
So we can divide the electronic asset protection strategy into two parts:
1. Internal threat recognition, measures & policies. 2. External threat recognition, measures & policies.
Cyber security is a fast growing area in the digital world and many companies have dedicated teams
and committees who manage and implement security at various levels. Most companies have policies
that prevent employees from sending business critical information in an unsecured manner.
So in my view the most critical policies for information security should be around storing and sharing.
But if I had to propose policies to a boss who is dedicated to this purpose, I would list the following:
1. For Internal threats:
i. Human resource policy: Interviewing prospect employees, specially managers and technical
leaders in a way that will reflect their honesty and integrity for which no specific Infosec policy
can be formulated. Their background should be checked not just from the HR but also past
managers and senior managers right till the ones who have indirectly managed them. They are
the ones who can make maximum damage to the company and other employees through their
influencing and technical skills if they do not get what they demand.
ii. Asset management policy: Device management and technical policies to keep up to date with
the latest anti-malware and spyware software, network configurations and limits on network
usage and mailbox sizes. Apart from this tracking all data exchanges from the device of the
employee is also necessary. This should include copying data to an external storage device.
iii. Authentication policy: that might include continuous authentication, with the knowledge of the
employee at all points while connecting to the company network or employee portals.
iv. Human resource policy: Last but one of the most neglected policies is the termination and
prosecution policy for employees who are caught indulging in any kind of unlawful activities
that might bring harm to the company. If no actions are taken against an employee guilty of
crime, he might continue that legacy at the next organization and pursue other ways of harming
the company or his colleagues.
2. For external threats:
i. Network security policy: Providing access to the network to trusted partners only.
ii. Account management policy: for tracking the number of accounts that are maintained by a
customer with the company. There should be a limit on the number of credentials that an
individual or organization uses to access the services of the company. Similar looking accounts
should be tracked and alerts raised for investigation. IP address and machine name can be used
for such purposes.
iii. Authentication policy: Passwords are now-a-days created and maintained in a way that are
difficult to crack, but due to loggers and other malicious software installed on the
customer/client's computer, these credentials might get stolen. Hence, continuous authentication
or surprise authentication processes should be in place to make sure the intended party is logged
in.
iv. Risk Management and Backup&Recovery policy: For preventing any planned attack to hack
and corrupt the data stored in data centers and servers, the data management team along with
the security team should formulate a policy for routine or triggered backup process to store
securely the information at a secured data repository/server.
References:
1. My experience at the past IT companies and Indian stock market.
2. http://www.it.ufl.edu/policies/
measures extensively. Firstly, businesses that generate revenue by developing new products and
services for consumers or other businesses. They have their Intellectual Properties and Trade Secrets as the greatest assets that need to be protected. E.g. Electronic device manufacturing companies like
Apple need to keep the upcoming edition designs of iPhone or Macbook secret from competitors, or a
service based company that needs to prevent theft of a unique architectural design of an Enterprise
application for a high paying client company.
While there are other businesses that generate revenue by providing platforms or services to be used
only by the consumers, have identities and individual assets and information of the customers as the
main information asset that needs to be secured. E.g. Banks, digital wallet companies or retail
companies that accept electronic payments and transactions and store card information that are prone to theft. Or even social media that is a big thing today for businesses and organizations and even political bodies who wish to connect with their respective audiences to expand. The recent incidence in India about the opposition party leader's Twitter account getting hacked has attracted too much media attention and probe. Email service providers like Google and Twitter itself has been the center of investigation in such incidences that is not common at all. News Source: Times of India.
The New York stock exchange has been a target of cyber attacks several times that led to great losses to traders and investors. Same is the case with NSE and BSE in India. No serious measures have been
taken against the hackers, although manipulating stock prices or using algorithmic trading or high
frequency trading software to create abnormal trends is an economic crime. The article describes the
various types of attacks on stock markets – https://www.infosecurity-magazine.com/magazine-
features/financial-markets-a-playground-for/
Apart from these there are others that operate with great investments and capital, but their businesses
are not that vulnerable to information theft. For example, oil companies might want to keep secret their next project plans, but that is not exposed to any amateur hacker who hacks online. Also small sized businesses are not too prone to major cyber attacks.
In both the identified business types, the asset is in some form stored or communicated through
electronic means, which makes it vulnerable to theft or breach. In the above two types of businesses,
there has been instances when apart from expert or amateur hackers, the thefts have been orchestrated
by an employee for known or unknown reasons. It is easy to trouble an organization that is highly
sensitive to its reputation with customers. If one manages to get the financial information stolen
through security loopholes that are known to him, he can easily destroy the company's reputation.
Or some employee who either develops or gets the documents containing high level or low level
designs might want to sell it to competitors or other companies to make money.
Policies can be implemented at various levels to keep a check on what is being received and sent by an employee via company network. But since now-a-days, electronic devices used by employees handling digital information are completely mobile and can be carried outside the premises, it becomes a responsibility of the organization itself to install software in those devices that will track the activities of the employee using it prior to handing over that device to the employee. Apart from having firewalls and antivirus software in every device, it is also important to log the actions of the user and the ISP details that the employee uses to connect the company device.
So we can divide the electronic asset protection strategy into two parts:
1. Internal threat recognition, measures & policies. 2. External threat recognition, measures & policies.
Cyber security is a fast growing area in the digital world and many companies have dedicated teams
and committees who manage and implement security at various levels. Most companies have policies
that prevent employees from sending business critical information in an unsecured manner.
So in my view the most critical policies for information security should be around storing and sharing.
But if I had to propose policies to a boss who is dedicated to this purpose, I would list the following:
1. For Internal threats:
i. Human resource policy: Interviewing prospect employees, specially managers and technical
leaders in a way that will reflect their honesty and integrity for which no specific Infosec policy
can be formulated. Their background should be checked not just from the HR but also past
managers and senior managers right till the ones who have indirectly managed them. They are
the ones who can make maximum damage to the company and other employees through their
influencing and technical skills if they do not get what they demand.
ii. Asset management policy: Device management and technical policies to keep up to date with
the latest anti-malware and spyware software, network configurations and limits on network
usage and mailbox sizes. Apart from this tracking all data exchanges from the device of the
employee is also necessary. This should include copying data to an external storage device.
iii. Authentication policy: that might include continuous authentication, with the knowledge of the
employee at all points while connecting to the company network or employee portals.
iv. Human resource policy: Last but one of the most neglected policies is the termination and
prosecution policy for employees who are caught indulging in any kind of unlawful activities
that might bring harm to the company. If no actions are taken against an employee guilty of
crime, he might continue that legacy at the next organization and pursue other ways of harming
the company or his colleagues.
2. For external threats:
i. Network security policy: Providing access to the network to trusted partners only.
ii. Account management policy: for tracking the number of accounts that are maintained by a
customer with the company. There should be a limit on the number of credentials that an
individual or organization uses to access the services of the company. Similar looking accounts
should be tracked and alerts raised for investigation. IP address and machine name can be used
for such purposes.
iii. Authentication policy: Passwords are now-a-days created and maintained in a way that are
difficult to crack, but due to loggers and other malicious software installed on the
customer/client's computer, these credentials might get stolen. Hence, continuous authentication
or surprise authentication processes should be in place to make sure the intended party is logged
in.
iv. Risk Management and Backup&Recovery policy: For preventing any planned attack to hack
and corrupt the data stored in data centers and servers, the data management team along with
the security team should formulate a policy for routine or triggered backup process to store
securely the information at a secured data repository/server.
References:
1. My experience at the past IT companies and Indian stock market.
2. http://www.it.ufl.edu/policies/
