TORONTO – With 294 billion emails being sent per day (an untold number being spam, phishing attempts, or loaded with malicious software), it’s not surprising that cyber security is at the top of the list of priorities for most companies.
In order to help its business clients understand the nature of the threats – so that they can protect their most sensitive data and employees from those who would do them harm, all the while keeping systems accessible enough to take advantage of the opportunities borne by having open access to the Internet – Telus hosted a cyber security event this week at its Toronto head office. The morning’s featured speaker was Melissa Hathaway, the former cyber security head under both the Obama and Bush Administrations in the U.S. The event was tied to the Telus/Rotman School of Management annual Joint Study on IT Security Concerns in Canada, the latest of which will be released in January.
Hathaway told the business leaders that there is no turning away from the push online by everyone and everything, noting that new ideas and lucrative businesses continue to spring up thanks to our digital world. For example, she said text messaging traffic now generates $812,000 in revenue per minute around the world, where a decade ago, that was not even a business.
With devices galore and Wi-Fi becoming more and more ubiquitous, “the world is increasingly in the palms of your hands,” she said. While that’s great for consumers and businesses alike, it’s also fertile ground for organized crime since policies and protections are not yet worked out in many areas. For example, she said, if a company allows employees to bring their own device into the work environment (as many now do) and there is a security breach of some sort, “who is responsible?” she said. “We have not really thought all the way through the complicated nature of that ICT adoption.”
Attacks on businesses and government can come from various sources, through insiders (mostly unwitting ones), through direct or indirect attacks via the internet, through the supply chain and so on – all with the goal of theft of information, money or some cases just to cause mischief like denial of service attacks (which cost millions in lost productivity).
Hathaway presented a number of case studies where the crooks would, for example, leave USB keys with malicious software lying around, just waiting for them to be plugged into company or government computers and then send back the data they want to steal, unbeknownst to the users, until it’s too late. Another case study noted how criminals could hack into unprotected WiFi networks to take what they want from businesses – and even businesses connected to the initial one attacked. So, she cautioned attendees on what they might be doing on all those free coffee shop Wi-Fi connections.
What’s at stake? Plenty. The reputation of your brand, customer confidence, growth, morale, competitiveness, time to market for products, price points, quality of service, and so on can all be severely damaged when companies are attacked. Thousands of man-hours and millions of dollars are spent tracking and isolating breaches and implementing new policies and new protective technology and educating workers to make sure it doesn’t happen again. Plus, if consumer data is compromised, lawsuits can be expected, too, and those aren’t cheap to settle, noted Hathaway.
Despite all the threats “we can not afford to opt out of Internet participation,” she said, insisting that security must be baked into all company policies and systems architecture so that it is there from design, to manufacture, integration, distribution, operation, maintenance and even retirement of technology and employees. Education must also be constant. If that happens, then threats can be more easily identified and neutralized.
At Telus itself, security is taken very seriously, but it’s a balance, said Telus Security Solutions director of sales, Warren Harvey. “I would suggest that we have quite a liberal policy as it relates to both mobile device utilization as well as access to other forms of communications such as social networking,” he said. The key is to constantly educate, to make Telus employees understand the risks and threats out there – while letting them advantage of the productivity gains and morale boosts that can come through better, easy, communications using devices and apps they really like.
Being able to bring your own device into the workplace and use social media isn’t just about growing sales and improving client-facing operations, “it’s also about attracting a new generation of staff member and employee. They expect it. They demand it and it really does make a difference in terms of how the enterprise is viewed,” said Harvey.
His job, he added, is to convince people that good security can be an enabler. Only thinking of it in terms of defense and protection from risk, “about vulnerability, about threat, can actually cause your business to decelerate,” he noted. If security is something people accept and follow through on policies and protections, businesses can run at a high, safe speed.
The biggest wild card when it comes to corporate cyber security is people and the decisions they make. Other companies, said Harvey, are telling him they “need to spend a lot of time in people education, policy education,” which is something Telus does already – and has begun to take that outside the company, too, offering a service called Telus Wise to its clients. Harvey says Telus will visit its corporate clients to extoll the virtues of an educated workforce always being aware that perhaps downloading that third party app to your phone or using a USB drive found at a conference might not be a good idea.
“We recognize the importance of education as it relates specifically to IT security and we’re taking it to our customers as well,” he added.
