Quality Management 2.0 Blog

Cyber Security and Threat Assessment for Risk Assessment

Posted by Mary McAtee on Jan 22, 2015 @ 09:00 AM

One of the positive peripheral results from the flurry of reactions to the movie, “The Interview” was a short-cyber_crime_imagelived media focus on cyber-terrorism.  The recognition of cyber-attacks has been slow to evolve but is gaining traction. In the last major threat assessment document, prepared during the final year of the Bush Administration, the term Cyber Threat was mentioned by name less than ten times. Last year’s assessment prepared by the Obama Administration mentioned Cyber Terrorism less than 100 times. The current joint intelligence threat assessment document just released mentioned Cyber Terrorism more than 1000 times. C-SPAN recently televised the briefing to the House Intelligence committee by the NSA and CIA. As redacted as I am sure it was it was still chilling. Malware (most likely introduced by China years ago) has been identified in several locations in the infrastructure for the nation’s power grid and water purification and delivery systems. While this specific threat has been neutralized, the idea of a foreign government or other groups planting a latent threat that can be activated when and if the mood strikes is very unsettling. These are not simple annoying denial of service attacks. One of the municipal power generation facilities cooperated with the NSA and permitted activating the malware on one turbine generator control system. The program once activated, took control of the turbine and forced it to run out of safe operating limits until it self–destructed. One can easily imagine the impact on a major city and the entire economy if this or similar incidents were to happen.

The breach at Sony should raise the hair on the back of the neck of CIOs everywhere. The deluge of project plans and intellectual property that was released was devastating. To add insult to injury the content of hundreds of emails were also released. They contained less than professional discussions and opinions that the senders felt confident would never see the light of day.

No one should feel safe or invulnerable because they think their network and communications are secure and private. Any disgruntled employee or unscrupulous competitor can do you harm that will prove very difficult to contain and mitigate. Imagine all of your sales pipeline, quotations, customer list and development information in the hands of someone with ill intent. 

This concern extends to your Customers and Suppliers as well. Issues can become exponentially more difficult to contain the further removed it is from your direct control. Some common sense approaches to avoiding cyber-breaches includes:

  • Train all your users concerning secure data best practice:
    • Don’t open links in emails where the source is not trusted. Trusted does not mean jokes and You-tube links from your brother-in-law.
    •  Train employees or better yet have IT enforce rules about browser settings including which sites employees can’t visit and how spam filters should be set.
    • Use anti-virus software and be sure definitions are current. Threats evolve every day.
    • Treat communications and file transfers with care, no matter the source.
    • Exercise caution for flash drives used by your employees and visitors.
    • Use good judgment when accessing public WiFi and hotspots.

Companies should also have robust.  “Disaster Recovery and Back-up Protocols."  Follow something meaningful in the way of process. Example:

  • Daily backups
  • Weekly backups stored off-site. If you can’t afford a weekly off-site or cloud based service, at least move the media off-site to a secure place, such as a sister facility.
  • Send monthly backups of financials and other important data to a secure storage facility whose primary business is secure data storage.

In the good old days, if you had a decent intrusion and fire alarm system in your facility and a security guard doing a drive-by or walking the grounds, you could sleep like a baby. We find ourselves in a very different and dangerous world today. People continents away who are bent on theft, destruction and disruption of your business and the larger environment where it operates, seem to have the cards stacked in their favor. A healthy business needs to be visible and active members of the internet and social media community. It will become increasingly challenging to balance your public persona and access against thwarting determined people who want to damage your business and your reputation. I am confident bright people will develop protective tools as fast as the bad guys find a crack in the armor or an open virtual door or window. While all of this is being sorted out all you can do is be alert, prepared, on the defensive and resigned to deal with the fall-out of short-term incidents. In summary:

  • Risk Assessment: Quantify risk and apply and communicate controls.
  • Develop contingency plans for the primary disruptions your business could face.
  • Train your people to work in a 21st century work environment safely and effectively.
  • Open the lines of communication concerning cyber security with your customers, suppliers and local Law Enforcement.

As the late President Reagan often said, “In God we trust, all others we verify."

Watch Tisha Tomlinson's Webinar on new trends in quality ISO, REACH and RoHS.

Watch This IBS Webinar

Topics: Risk Assessment & Analysis

Browse by Tag