Friday, May 29, 2015

Cyber Security Economics

Management of many companies are missing some important opportunities in the area of cyber security. Opportunities that could be avoided by applying some simple rules of economics. For example, one principle of economics is that the entry cost into a type of business plays an important role in determining who can enter into it. For hackers, the entry cost is quite low, so the system encourages them to enter the business of hacking. The answer is to raise the entry cost to prohibitive levels. This can be done by enhancing the difficulty of hacking the system, which means raising barriers to unauthorized entry.

That sounds simple and basic, but it requires a lot of planning. The big issue these days is that automation is pervading all aspects of the business, and security has not kept up with it. Many new systems do not include strong security measures, and because of the proliferation of different systems, certainly are not integrated across the company. And risks vary tremendously among these different systems.

Addressing this disparity requires high level planning at the board level and also senior management. A mistake often made is to leave it to the IT department. That's a big mistake. It's a major strategic issue, not a technological one, and needs to be addressed as such. For more on this area, check out this link.

Tuesday, May 26, 2015

Post Snowden IT Security Practices

Two years ago, Edward Snowden, a former contractor with the US National Security Agency, revealed details of various surveillance programs of individuals and companies undertaken by the government. The revelations had a big impact on the way people view IT based functions like email and social media.

Nevertheless, research conducted by Pew Research indicates that a large portion of the public has heard little of Snowden, despite the huge publicity. (30% of adults had heard a lot about it, 56% had heard a little and 6% had heard nothing.) Those who have heard of it often did make changes in their behaviours regarding communications through IT based media, but many more did not. (34% of the 30% made changes  in their behaviours, such as reducing their use of social media and using email less.)

To quote the study, "One potential reason some have not changed their behaviors is that 54% believe it would be “somewhat” or “very” difficult to find tools and strategies that would help them be more private online and in using their cell phones. Still, notable numbers of citizens say they have not adopted or even considered some of the more commonly available tools that can be used to make online communications and activities more private:


  • 53% have not adopted or considered using a search engine that doesn’t keep track of a user’s search history and another 13% do not know about these tools.
  • 46% have not adopted or considered using email encryption programs such as Pretty Good Privacy (PGP) and another 31% do not know about such programs.
  • 43% have not adopted or considered adding privacy-enhancing browser plug-ins like DoNotTrackMe (now known as Blur) or Privacy Badger and another 31% do not know such plug-ins.
  • 41% have not adopted or considered using proxy servers that can help them avoid surveillance and another 33% do not know about this.
  • 40% have not adopted or considered using anonymity software such as Tor and another 39% do not know about what that is."

The study shows that there is a fairly significant lack of knowledge of the tools available to preserve privacy, something that could be remedied with educational and awareness programs.

For more n the Pew research, check out this link.

Wednesday, May 20, 2015

Security Reviews are Good Business

Amid growing concern about cybersecurity, many businesses have grown a patchwork of security systems that have become dis-functional. The lack of effectiveness reflects itself in both the disparity of the systems and the consequent difficulty of managing them, as well as their simple inability to deal with security threats on a comprehensive basis. Businesses in such a position can lull themselves into an unwarranted sense of security.

The solution lies in taking an organized, planned and enterprise-wide approach to security, developing systems that complement each other and ideally have a commonality in their management requirements.  Security reviews by a professional can be money well spent in these cases. For one perspective on this important area, check out this link.