Throughout this program I have learned there are many aspects to protecting information. One of the main keys to protecting information begins with employees. When employees understand the importance of their actions and why the company has created security policies this will help to create an environment that is aware of potential consequences.
This means that companies have to create a culture of security. By creating a culture of security all employees are taught to understand the importance of following security protocols. They should be aware that company security is more than just the information online, it is also the trash they throw away, the caller on the telephone who asks questions about the company's software or other seemingly innocent questions and the unannounced copy repair man. Anything out of the ordinary employees should report to the supervisor or head of security immediately.
One of the most difficult aspects of cybersecurity is convincing a company why the protection is necessary. Unfortunately, many organizations see cybersecurity as a black hole for spending company funds that they feel would better benefit other areas. The reason for this is because having adequately protected companies means there are no or few attacks. Without any attack it seems as though it is not necessary. When a cyberattack does occur, the first to get blamed is the security team; even when they had presented the information as to why increased security was necessary to prevent this type of attack, but they were told it was not necessary. Those presenting their findings for security necessities must use data from other, similar organizations who suffered such an attack and present how the company was affected by the attack as well as how much it cost the company.
During this term for Cybersecurity 650, I learned the necessary steps to identify security threats/vulnerabilities as well as making recommendations to mitigate these issues. The security assessment needs to be thorough, focusing on critical assets and potential threats or vulnerabilities they may face. When determining these it is important to focus on protecting the critical assets from realistic threats. These could include cyberattacks, weather events relevant to the area such as tornadoes, floods, hurricanes, etc., and attacks on areas that may vary from company to company. These factors are important to keep in mind when evaluating a company's security. For healthcare organizations they not only have to secure patient data, but also have to be in compliance with state and federal laws by how they are securing the information. At the end of the recommendations it is up to the company to do what is in the best interest for their customers, shareholders, and company as stated in their mission statement.
Thursday, August 7, 2014
Increased Security Threats to Power Grids
Companies need to keep evolving as technology keeps changing. Sometimes they can keep up with the technological advances and other times they cannot. When it comes to America's energy providers, people often think they have been able to keep up with the technological advancements and are adequately keeping the energy sectors secure. Unfortunately, this is not the case for many of America's energy providers.
Many of our electrical grids are not prepared to stop a hacker from gaining access to them and creating chaos for major cities. If the electrical grid is shut down it will affect more than just the power to a city. Should it be a national city like DC that becomes attacked, it could affect national security. Due to the significant nature of such an attack, congress has proposed to increase security measures for critical infrastructures. In addition to this they want increased sharing from all government agencies as well as the public sectors about cyber security threats and attacks that were stopped.
This information sharing is in the best interest for all involved as it can help prevent attacks. It is most beneficial to the public sector as they do not have the financial resources that the private sectors have to research and stop cyber security threats. The problem with information sharing is that many businesses are afraid they will be violating privacy laws by disclosing customer information when they are sharing their information with the government. In April the Federal Trade Commission and the Justice Department announced that companies would not be violating antitrust laws by sharing cyber threat information.
Causing chaos by attack the power grid in the United States could be a low cost attack by a foreign country or a state sponsored hacker. Cyber attacks can leverage the playing field for countries who do not have the resources to wage a different type of attack. Cyber attacks also offer the attacker some anonymity until the origination of the cyber attack can be determined. This makes the matter become increasingly important as it is no longer just a matter of someone physically shutting down power at the power grid, but attackers from anywhere in the world being able to shut it down.
Harris, S. (2014, July 15). U.S. Electrical Grid
Vulnerable to Cyberthreats and Physical Attack, Study Finds. Retrieved Aug
3, 2014, from Foreign Policy:
http://complex.foreignpolicy.com/posts/2014/07/15/us_electrical_grid_vulnerable_to_cyber_threats_and_physical_attack_study_finds
Subscribe to:
Posts (Atom)