Odds are, your company is committing this fundamental IT 'crime'
No one should be surprised Panamanian law firm Mossack Fonseca was a recent target of hackers. Hackers want sensitive data, whether it’s engineering drawings, customer credit card data, or — in the case of the Panama Papers — the financial secrets of wealthy international clients.
Given Mossack Fonseca’s obvious appeal to hackers, how is it possible that the firm’s information technology department failed at so basic a level to protect its data?
I suspect the same two reasons many businesses in Madison and throughout Wisconsin fail to protect themselves from modern threats: First, complacency about keeping software up to date. Second, too little focus on point-of-use security measures (that is, end-point protection as opposed to perimeter security such as firewalls).
How could Mossack Fonseca’s IT department act with such complacency to run versions of WordPress and Drupal, two popular open-source platforms for web content management, that had known security vulnerabilities for as long as two years?
Extending that question further, why are businesses so commonly complacent about updates? I think it’s a persistent symptom of the “Does IT matter?” malaise that affected a portion of the IT industry in the years following the dot-com crash. Specifically, certain new topics — especially ones with their own memes, such as “Big Data” — get attention and budget dollars. Whereas core infrastructure and operating system updates — that is, the basic blocking and tackling of IT operations — get short shrift.
Often IT leaders know this. They lament they can’t get the budget to update old software that won’t run on modern operating systems — as a result, they just don’t update the operating system. They worry their way through building out new mobile capabilities for employees to check email from any device, anywhere, knowing the increased risks but unable to act to deal with modern risks using modern tools. A prime example of the tension between user access and IT control is the impetus for Hillary Clinton’s basement email server — according to news reports, her unwillingness to use anything but the Blackberry smartphone to which she had grown accustomed.
Sometimes, apart from these inherent tensions, IT leaders fall into traps of their own making. They know they’re running effective perimeter security measures — such as firewalls and even new automated threat detection and prevention devices — and think that makes them safe. The problem is that hackers adapt, too. It’s now very difficult for hackers to get network access without masquerading as legitimate users. So, of course, they focus their energies on getting legitimate credentials and then building up their access rights once inside. That’s what happened to Target, Home Depot, and others.
Physical security is essential but not adequate; more so, as the very concept of “perimeter” gets erased as employees connect from anywhere, systems are intertwined with vendors, and vital data is moved to cloud storage for the greatly enhanced security large, focused vendors can offer. The reality of the modern organization is interconnectedness. That means every point at which humans interact with the network must be kept secure — every computer, phone, machine controller, medical device, and many more.
All these network endpoints can be secured only by ensuring their use is legitimate. Endpoint protection requires modern identity and access software tools, working at the operating system level, to ensure users are who they say they are.
Putting endpoint protection in place requires up-to-date operating systems and a willingness to effectively address IT service management — the formal methods and processes of properly managing IT. It’s harder work than putting a new network security device in place. It’s also often harder for senior management to understand the need and sponsor the projects long enough to realize their value.
For example, the word “firewall” has an intuitive resonance; probably no senior executive would question the need for one. But not everyone knows that identity verification is usually the most pressing vulnerability. It’s a murkier sounding subject and it involves software, about which executives sometimes say, “Oh, we can keep getting along with what we’re using now, can’t we?”
But operating system updates are not an area for delay or cutting corners. Unfortunately, in my experience, a typical company is two to three iterations behind on operating system updates for personal computers and servers, often because of legacy software incompatibilities. That means loss of sensitive information to malicious parties. Would you try to run a car indefinitely without changing the tires? Would you hold off replacing the car even when the seats are rusting through the floor?
The answer to “Does IT matter?” is yes. Complacency about the basics costs businesses money and sometimes their reputations. Only with modern tools and modern service management processes can organizations protect themselves against modern threats. That means network security as well as endpoint security — both managed with a rigorous IT service management framework.
James Savage is founder and president of Concurrency Inc.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.