Are top executives getting a pass on cyber security responsibility? Eric Anderholm, CEO of Sergeant Laboratories, a cyber security firm, believes so. He notes that when the CIO is asked what happened after a breech, the answer is usually, "We don't know." Anderholm notes that answer is often viewed as acceptable, particularly when the CEO is loath to admit that he or she wouldn't understand the clear answer.
Anderholm is convinced that corporate leaders won't be able to get a grip on cyber security until that start to view it as any other security. They certainly wouldn't accept "we don't know who they are" if the breech were a physical intrusion. "When there's a breech most people don't know how it happened, so it's easy to lay blame on some nefarious overseas government, but the breech usually occurs because the organization has weak security," Anderholm told Design News.
When Anderholm visits with a new client, he is continually surprised by the lack of knowledge corporate leaders have about the status of their data. "They don't even know how many machines they have running," he said. "When we hear about 'an attack from overseas,' we're skeptical. We believe it's their weak security, even though they always think it's someone else's fault."
MORE FROM DESIGN NEWS: Not Even Air-Gapped Computers Are Secure
As an example of weak security -- as opposed to brilliant hackers -- Anderholm points to the National Security Agency's experience with Edward Snowden. Anderholm says it should have been easy to spot Snowden as a spy. "The NSA should have been monitoring their data. Snowden was acquiring 10 to 20 megabytes a day, and if they had been watching their data, they would have seen the terabytes of data getting downloaded from outside," said Anderholm. "They should have seen this happening when terabytes of data were being collected by someone who wasn't a data analyst."
Security clearances for data
Anderholm believes corporations could develop security clearances for cyber data much like the security clearances for sensitive information on paper. "The government has been using security clearances since World War II. Organizations now have to look at their data and determine what data is important, what data would create a profound risk if it were released," said Anderholm. "You have to know where your data is sitting, where it's going, and who has access to it."
MORE FROM DESIGN NEWS: Power Plants Have Big Cyber Security Problem
Anderholm likens the process of protecting data to auditing. You have to know who's been touching this data, who's been using it, and whether that use is appropriate," he said. "The people on the network have a lot of important data, and everyone forgets about the data. They have no idea that substantive data is just sitting there. That's a problem. The first step to protecting it is to stop blaming people from overseas."
Anderholm believes effective cyber security requires a shift in perception. "Data is getting managed like it's bolted down. The IT department needs to manage it like accounting and ask these questions: Where's the data? How many devices do I have? Who's touching the data? When was the last time it was audited, and how do I know what I hear is real?" he said. "Companies that ask those questions will have a competitive advantage because they won't experience breeches."
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine, Chile Pepper.
Design engineers, New England's premier design and manufacturing event, Design & Manufacturing New England, will take place in Boston, May 6-7, 2015. A Design News event, Design & Manufacturing New England is your chance to meet qualified suppliers, get hands-on with the latest technologies, be informed, and expand your network. Learn more here.