It's ironic isn't it?
Not just that the U.S. government, an entity itself so large, so organized, so by-the-book they even define their own levels of security clearance, was breached. Hackers will say that was the easy part.
The irony is that despite the organization, multiple levels of security clearance and sheer stature, one man can take down an army. Could this have been stopped? Could the government in all its gospel FIPS 140-3 glory have turned a blind eye and used trust as a security policy?
Probably not. But are there mistakes that we can learn from and prevent from happening in our day-to-day business? Absolutely.
One of the main lessons we can learn from Julian Assange and WikiLeaks is that one man with power, credibility and unfettered access can do a lot of damage, if disgruntled. You have heard it before. Going postal. Rogue employee. A guy with nothing to lose.
The reality is that these people work for us and we need to be prepared for the worst. But are we ever prepared for when their ride on the ladder of mediocrity and misguided success goes awry? We can be.
Let us start with the basics.
- Unify. One of the biggest challenges of big organizations is that individual groups take on their own persona. In turn they create, control and manage how data needs to be accessed on their own – typically without the check and balance of an enterprise security policy. This poses a bigger challenge. The longer individual business units behave this way, the harder it is to get them to change. Resistance will be your biggest enemy. By unifying your team and departments, your strategy will go a long way in better security, which ties nicely into my second point.
- Understand your data flow. It never ceases to amaze me how many large, respectable, and market leading companies have no clue when it comes to understanding how data moves and is used throughout their IT infrastructure. Fingers will be pointed in conference rooms. Epiphanies will be had as frequent as bathroom breaks, and you will learn to loathe the phrase: “I didn't know such and such data was used in that system.” Of course you didn't. That's because no one is talking to one another and they are all operating in silos. You need to knock them down and get your arms around your data flow.
- Resist the urge to fix the problem yourself. While you may have a brood of new blood from the likes of MIT, Stanford and Carnegie Mellon, none of them are prepared to tackle your problem in all its forms of distortion. Your challenge is an ugly one and requires a level of life experience that generation iPad probably cannot satisfy. Seek out the counsel of someone who has been there before.
- Don't allow money (or the lack of it) to cause further delays. I know it is tempting to build it on your own because it appears cheaper, easier, and can get easily bundled as an operating expense, but trust me, at the end of the day it costs actually more money and time to do it on your own. Add to that the reality that, according to the 2010 Breach Investigations Report from Verizon, the number of breaches that occurred in 2009 as a result of someone on the inside was roughly 49 percent. Yet information gathered today shows that the inside threat doubled in 2010 from its previous year. All the more reason to carry the flag and fight for budgetary dollars to address due diligence and find the best security solution for your organization.
If you have unity, know where your data is, have put all the B.S. (no pun intended) computer science grads in timeout, and have the budgetary support. Then you are ready to take this initiative to the next level.
Congratulations. Now you just have to know the problem, the potential solutions, and cast a wide net.
There are a lot of one-trick ponies out there with slick fields sales teams all trained by Gordon Gekko and his entourage of moneymakers. They want to do one thing and one thing only, sell you the part of their solution that works.
These Gekkos represent a fleet of vendors all hitching their wagons to fancy acronyms and the promise that a square peg can fit in any hole if you push it hard enough. So do your due diligence, cast a wide net, and test everything. At the end of the day, you asked for the money, you cashed some of your chips for unity; it is up to you to ensure the magic happens.
As for Assange, well, he is not going away, but it is likely one of his sources is…for a long time.
But back to my original thought. It is ironic that the ringleader of WikiLeaks himself is now peppered with everything from denial-of-service attacks to rape charges isn't it?
Yet, Assange, WikiLeaks, and the ensuing attacks on corporate America by hackers demonstrate one thing; They're uniting. The question is: Are you prepared?