Oh, the irony. Vanguard Defense Industries (VDI) was hacked by the hacking group Anonymous.
I don’t mean to sound too critical, or unsympathetic. After all, if an industry with the word “defense” in it’s very corporate name and charter can be breached… what hope is there for the rest of us?
And yet, what the heck? (I resisted the temptation to say “What the hack?”). Don’t we have to persevere in the belief that true progressions, true protections, and ultimate measures of true security can, will and do trump threats and potentials of breach? The short answer is: Yes.
Things have to fall one way or another – with the simple strength of a push. Organizations need to be constantly pushing security… lest a breach pushes itself into and onto you. What does this “push” really mean?
It means being vigilant with a proactivity and focus that extends to the horizon – and beyond. You must survey the current risks that are out there, survey for ones that are developing, and survey for those rumored to be developing. You then must pair this awareness, vigilance and survey with your present environment: Bring necessary security solutions and practices to its supports, its protections, its plans, its projected progressions. View everything through a security prism.
In the case of Vanguard, a top official had his e-mail account broken into. Messages were stolen from the Senior Vice President’s account. According to Anonymous’ own statement, 1 gigabyte of data was stolen, comprising personal information (never good), meeting notes and worse: Purportedly taken too were counterterrorism documents marked “law enforcement sensitive” and “for official use only.” Internal meeting notes were also breached.
Here is the real payout to us, here in the IT and business community: The e-mails were stolen from the Senior VP’s private Gmail account. Wow. Here are the questions that are raised:
1. Is Gmail an authorized, sanctioned, mail system – endorsed by Vanguard Defense Industries for internal and external use?
2. If so, what is VDI’s guidance for what levels of information can be transmitted and stored in a system that is outside the direct scope and control of VDI’s security standards and measures?
3. What are Gmail’s own standards of security? Do they match and/or exceed those of VDI? Or are they considerably lower?
4. Regardless of present standards, what guarantees can Gmail offer regarding continuity of security over time; such as a prudent forward progression as threats evolve and increase? We all know wonderful companies and products of yesteryear that failed to grow with the times…
5. Will outside standards remain high in the face of business challenges, such as any budget constraints, and competing avenues of attention/progression such as new online products and features?
The lesson for business and IT in general? Survey and find out immediately, if you don’t presently know, what your staff is doing via free and ready services. Things such as Gmail, Facebook, message boards, Comments areas in news lists – etc. Update Acceptable Use policies, Content Management policies, Security policies… Define what is permissible. Define what is impermissible (not allowed, unauthorized, forbidden, to be avoided, etc.). However –
When defining the “Impermissible,” be certain to include specifics, but also include a caveat that it is not meant as a comprehensive list of specifics. Specify that, due to evolving and new products and avenues of breach, all general areas are included. For example, you can bar Facebook, MySpace, and others’ use at work; but also indicate that social networking in general is not allowed. That way, as new SN sites bloom, they are covered. You can also grant conditional access: A particular project or group may benefit through access, which can be qualified by training and best use. Departments may need access – those that don’t require it, don’t allow it. This is business – nothing personal.
Recognize that even senior-most staff represent security liabilities if they are under-educated regarding modern and evolving perils. Whether you’re a CXO (CIO, CTO, CFO, etc.), Senior Vice President, President, Director, Manager, Supervisor, staff person or temporary hire – make certain you know areas of risk, and best protections – you must set the example.
Further, if you’re a leader, get the right people on the solutions and protections and the related currencies and advancements.
Further still: Get the right security training and awareness in place for staff.
Stay safe out there…
On this day (August 20th): In 1896, the dial telephone was patented.