Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Security Should Be Expanded To Departments Other Than IT: CII-KPMG (www.bgr.in)

Posted by msmash on from the better-measures dept.

An anonymous reader shares a BGR report: Cyber threats today are no longer restricted to a company's communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. "It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust," said Richard Rekhy, Chief Executive Officer, KPMG, India.

20 of 38 comments (clear)

  1. Yes and no by Chas · · Score: 3, Insightful

    Do I agree that other departments need training in security?

    HELL THE FUCK YES! The nastiest hole in most security systems are the stupid meatbags being stupid on their computers.

    Do I think that there should be SOME input back from these other departments too? Sure. But in a healthy organization, this is already the case.

    Do I think that these departments should be given policy and decision making powers over security policy?

    HELL THE FUCK NO! That's like putting a blind and deaf sheep that's considered stupid (even by sheep standards) in charge of a flock in an unfenced field in wolf country.

    In short, while feedback is welcome, and good ideas are always welcome, managerial control isn't. Because it's not their job.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re: Yes and no by Anonymous Coward · · Score: 1

      I have had to walk across the faciity to read a user's email to them. The reason: "it said URL so it is too complicated." We expect users like this to comprehend security? I dont expect them to get past the first word. It had sec-something in it. It is too complicated.

    2. Re:Yes and no by lgw · · Score: 2

      It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust

      Wow, buzzword bingo in a single quote. Where's Weird Al when you need him? Right here!

      This consultant must have been toning it down though. I would have a expected a "proven methodology" and "commitment to quality" in there somewhere, and maybe a "seamless integration" too.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Ignorance shouldn't be an excuse. by jellomizer · · Score: 3, Informative

    The biggest problem in IT Security, is all the decision (those people outside of IT) claim ignorance, as those IT guys just talk techno babble.

    So when there is legitimate problems, they just ignore IT and tell them to fix it. Vs. trying to take some time to learn about the problem and see if there are other solutions than just a computer fix.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Ignorance shouldn't be an excuse. by houghi · · Score: 1

      And how many IT directors say "We can't fix it!"? Not that many, because they all say "We have found a new way and we implement that." and all the while they forget the weakest part: humans.
      And no, you can't just upgrade them as if they were a machine with not enough memory. You have to work with what is give to you and make it work.

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re:Ignorance shouldn't be an excuse. by tnk1 · · Score: 3, Insightful

      Yes. You can employ all the latest technical tricks and safeguards and the HR assistant is still going to send a list of all of your social security numbers to a "hacker" due to a badly formatted email that purports to be from the CEO. The number of times that outside parties simply pretend to be someone else and demand sensitive data to be sent to them, and it *works* is absurdly high. This is because people aren't trained and more to the point, have not been told that security is not their responsibility nor their manager's.

      I agree that the Information Security group (NOT the IT department, unless you're too small for an IS group) should be crafting policy and training, and they should accept feedback about their efforts from the other groups, but ultimately they should not be overruled on InfoSec rules by the other departments unless there is executive sign off *in writing* to exceptions.

    3. Re:Ignorance shouldn't be an excuse. by Archangel+Michael · · Score: 1

      claim ignorance

      Security is mostly / always at the cost of convenience, and often costs money budgets don't have (until it is too late).

      I know that in our organization, security is always an afterthought, even though we in IT try to make it a priority. Decisions made by people who are ignorant are almost always wrong (broken clocks being right twice a day), because they are almost always based on convenience over security.

      And when the inevitable security problems come up, they expect IT to fix them, without compromising all their stupid decisions along the way.

      When ever someone makes a REALLY stupid suggestion (easily guessed passwords), I try to put it into terms they can understand ... "Why not set everyone's password to the exact same thing, that way when someone forgets their password, their neighbor can tell it to them! CONVENIENT!!!"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:Ignorance shouldn't be an excuse. by Bob+the+Super+Hamste · · Score: 1

      This about sums it up.

      --
      Time to offend someone
    5. Re:Ignorance shouldn't be an excuse. by pla · · Score: 1

      With SMBC, you always need to mention SFW (for the half-dozen or so that qualify) or not.

    6. Re:Ignorance shouldn't be an excuse. by chris_osulliva · · Score: 1

      but IT could stop the HR assistant from emailing SSNs by scanning outgoing email. the login/password reset interface is probably the weekest link.

  3. Technical solutions for social probs don't work by houghi · · Score: 1

    Security was; is and never will be a technical solution for just IT. From the beginning it was clear that most of it was social enginering. Security is more a mindset.
    As many went through IT related ways (computers), the IT departments told us over and over again that they would take care of it with more and more technical solutions.

    We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many. People will tell them to somebody who says he is from IT. People will do things, because they are afraid their boss will yell at them if they don't. They palm people into buildings. And all because they have no idea why it is so dangerous.

    People are not even interested in protecting their own identity and secrets and make themselves volnerable to attacks. If they do this to them selves, why would they not do it for the company they work for?

    The reason is simple: ignorance. You need to explain that if you give one piece of the puzzle (e.g. just the first number of your CVV code) if they get the otherpieces elsewhere, they have all of the information.

    So it is indeed now up to IT to realize that they have been lying and finally start to understand that security is a state of mind and not something you can deal with as if it were a bug (or a feature). NEVER solve a social problem with a technical solution.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Technical solutions for social probs don't work by XXongo · · Score: 3, Insightful

      We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many.

      It's been shown that writing down your password is pretty much the safest thing you can do. If I can't write it down, I can guarantee my password is going to have to be something like puppydogN, and I'm going to use the same one on every single system because I can't memorize fifty different passwords and remember which one goes with which login.

      What pisses me off most are the a$$holes in computer security who are now making me change my passwords to a new one every 90 days. Nobody has ever shown that this makes anything safer.

  4. Great idea, but it will never happen. by Anonymous Coward · · Score: 1

    Security is a process that you have to integrate in to every aspect of your business. It should be part of your training, planning, policy, business process, etc.

    Trouble is, those that control the pocket books don't see it that way. They've been convinced that security is a service, or worse an appliance. It's a neat line-item that ticks a box and should be priced out to the lowest bidder.

    To be fair, they see everything that way. Makes their jobs easy when leadership is a spreadsheet, a report, and a golf game with the bosses instead of.. You know, actual work.

    You ever wondered why so many large organizations seem like such disjointed, jumbled up messes with ill-fitting parts that don't communicate well? Yeah.

  5. so more Shadow IT? or more we can do are own at lo by Joe_Dragon · · Score: 1

    so more Shadow IT? or more we can do are own at lower cost (at the places that have IT bill other departments) and more PBH fights over stuff that they do not know that much about. I read in PBH magazine that we need to have X and I don't thing X.1 (just about the same thing) will cut it.

  6. Necessary, but a waste of time. by pla · · Score: 1

    I can easily see the theoretical value in this. In practice, this will just scare and confuse 99% of non-IT people.

    Corporate cybersecurity must operate in such a way that it doesn't require the end users' cooperation, or it will fail. Sure, you can teach people best practices, how to spot phishing attacks, not to use the same password on every system they use; but as soon as you move beyond that, you've set yourself up for complete failure.

    1. Re:Necessary, but a waste of time. by tnk1 · · Score: 1

      You need everyone's cooperation at some level. There is simply no way to prevent attacks unless you have everyone on the same page.

      Yes, you might be able to track the HR assistant who sent the data and fire them, but too late for the company. You at least need to train them to the point that they,

      a) Know the minimum that they have to do in order to protect their data,
      b) Know that they can be fired for failing to protect that data.

      You would not believe the number of people who make these sorts of mistakes and are *not* fired. The reason is simple. No one trained them to recognize attacks, and no one told them that they had to protect that data or be fired. Unless they are in disposable positions, their manager rightly points out that they're valuable members of the HR/Finance/Sales team, and that if their CEO writes them an email ordering them to give something up, they're going to follow orders.

      A great deal of InfoSec breaches are all social engineering that happen to use email or something to convey the attack. There is no purely technical solution for that.

    2. Re:Necessary, but a waste of time. by pla · · Score: 1

      Unless they are in disposable positions, their manager rightly points out that they're valuable members of the HR/Finance/Sales team, and that if their CEO writes them an email ordering them to give something up, they're going to follow orders.

      I mostly agree with you, but I think you might have missed my intent...

      Why does a random HR employee have the ability to send an export of all employee data to an external address? Why would the CEO legitimately need to ask anyone to send them data (as in, the data itself, not a link to an internal webpage or file)?

      Yes, people will always make mistakes, and non-techies will never keep up with the latest social attacks - Thus my point; not saying someone should lose their job for an offense they don't even understand, but rather, that they shouldn't have the physical capability of accidentally causing such a breach.

      Though rare, this counts as one area where we could take a tip from high-security government agencies - No removable media, no direct internet access, no email attachments can leave (or enter) the local network without some form of sign-off by InfoSec, etc. And yes, of course people will always find ways around such technical barriers, but at that point it becomes a lot harder to claim ignorance instead of malice.

  7. No by jwymanm · · Score: 1

    In fact the opposite should happen. They should be removed from any level of access to anything that requires security to protect peoples data. And not to be harsh on them, so should any employee honestly. Usually it turns out the least secure people in the company have the most access to customer information. This is the system we have today because they are the people that directly interact with the customer and are typically new people hired freshly from the street since turnover rate in call centers/fast food is so high. We need a different process entirely to create a secure way to provide PCI / PII . It should never even have to be provided manually to another human getting paid minimal wage.

  8. NO by Ryanrule · · Score: 1

    IT should be given greater control.

  9. they only figured this out now? by bravecanadian · · Score: 1

    This has always been the case.

    Unfortunately, most companies treat information security as an IT task instead of a company wide mindset.

    In the push and pull of security vs. convenience IT generally loses.. but they *do* get to take the blame once things go wrong.