Outside:  What are the modern organization’s possible contributions to surrounding outside public enablements and related security there?  [Think:  electrical grid; communications; infrastructure such as roads, etc.]

Inside:  What are your new requirements concerning internal controls and security measures?  [Think:  Malware comprehensiveness and timeliness; firewalls; education, etc.]

In advancing the discussion, recognize that any modern organization with reliance on electronic enablements, applications, processing, content, and the dynamic flow of information, is vulnerable due to both outside liabilities, and inside liabilities.  But further, the organization will face threat with two other distinct characteristics.  There will be national threats (originating outside) that impact inside – and there will be local threats, also with corresponding inside impacts.  Further, there will be your own inside perils, due to deficiencies, deliberate harm, or human error.  We can evolve the following matrix over time for a more comprehensive understanding… and for the taking of appropriate (affordable) action:

Nation-states:  The organization is vulnerable to national threats, as delivered by outside nation-states, both formal ones such as China, as well as virtual “nations” of thought or philosophy or action, such as al-Qaeda.

If you believe the “local” organization – that is, yours – is not susceptible to large cyber threats… read on…

It’s been reported recently that the President of the United States could order a pre-emptive cyber strike if a major cyber plot was detected and deemed credible.  We’re talking about a cyber plot as mounted against the U.S. by a foreign and hostile country or entity.  (In fact, tonight’s (2-12-13) State of the Union address is going to contain mention of cyberwar as a national threat).

This reportage is not in the context of President Obama potentially ordering, or considering, such a strike:  Rather, this was a discussion for the legalities of any president, now or future, for ordering such a strike.  In other words, a general legal and Constitutional question, and potentials for action.  In this regard, The National Intelligence Estimate, considered the intelligence community’s most authoritative document, has been updated and is commissioned to focus on cyber security, with special focus on Iran, North Korea, and China.

Orgs close for inclement weather – will they close for inclement cyber conditions?

So, we’re plowing new ground – and, like it or not, considerations of large-scale cyberwarfare will come to the organization much as considerations of weather do (such as when to close early, when to close entirely, who makes those determinations, etc.)  Consider:  Will there come a day when a specific national or regional CyberThreat is deemed so high that specific geographic areas are advised to shut down computer systems, in order to take them offline and to remove their vulnerability until the threat is successfully resolved?  Computers, critical content, access to apps, and the dynamic flow of information, are necessary to virtually everything we do today:  Banking, commerce, travel, education.  Technical enablements sustain our power grid; any damage to that cascades to critical areas mentioned in the last few articles here.  If national or regional authorities believe some measure of systems supporting the power grid are in a window of vulnerability, might local power “go out” for a period of time?  (Much as it does following a bad storm).

So what are the boundaries by which we can execute cyber operations?  How “preemptive” are we permitted to be?  Former CIA deputy director John McLaughlin says that this is a “new arena, a new frontier, where people can move with stealth, agility, and invisibly.”

The difficult part of “invisibility” is that an enemy can attack, cause great harm, and escape liability or penalty, which in-turn makes it difficult for the attackee to respond, and to mount protection from continued attacks.  See how the removal of a MAD scenario exacerbates the threat (one article down, or here).

As to perils to the local organization, we’re already seeing large, private, high-profile targets being hit:  The New York Times said Chinese hackers had compromised their computers, stealing employee passwords a few weeks ago.  Same for the Washington Post and Wall Street Journal, as they reported similar incidents.

Twitter recently said that 250,000 accounts may have been compromised.  A breach at the Department of Energy came to light when employees were notified that servers had been compromised at their headquarters.  There have been numerous denial-of-service attacks on U.S. banks.

Large, high-profile, organizations and their associated vulnerabilities are pretty well understood inside of those orgs.  But what of small-to-medium business?  SMB is particularly vulnerable.  But beyond nation-states wreaking large-scale harm, SMB faces both inside and outside threats.  Where are their meager resources best-leveraged?

Understanding the problem will advance our discussion in the coming days…

What comes after Black Friday? 

Cyber Monday.  That’s the online equivalent of Black Friday, with deals galore for the online shopper.  This year, it’s expected to generate more sales than Black Friday for the first time. 

I can tell you that I do almost no Holiday shopping at brick-and-mortar stores any longer; everything is done online, and it all shows up at my door.  I can even avoid gift wrapping if I prefer to pay them to do it.  Of course, no online retailer can match my taste and care when selecting wrappings, ribbons, and…  ahh, who am I kidding?

According to the National Retail Federation, 88% of retailers will have special Cyber Monday promotions this year.  This is up from 72% in 2007. 

They also report that online sales for the 2010 Holiday Season are expected to reach $32.4 billion, and that is an 11% increase over last year.  Further, 70.1 million people are estimated to be shopping online from the office this season for Holiday gifts.

In view of all of this, a Careerbuilder online survey reports that 21% of employers have fired someone for non-work related internet activities.  5% have fired someone for holiday shopping at work. 

I got to thinkin.’  If over 70 million folks are shopping online at work this holiday season, and 5% of employers have fired someone for doing this (and we’ll assume one “fire” per employer), then 3.5 million people have been fired for doing this!  Of course, we don’t know over what period of time.  For the fun of it, let’s just say that it’s been over the course of… oh… a decade.  That would mean that 350,000 people might lose their job this year for this!  Fired – for thinking of their friends; their spouses, their lovers, their kids, their co-workers…..

As I’ve said many times:  Be careful out there.  If I can save just one person’s job this Holiday season… 

:^ )

By the way, the same Careerbuilder survey says that 50% of employers block employees from using certain websites at work.  I am frankly surprised that this figure is not higher.

Novermber 28^th:  On this day in 1895, America’s 1^st auto race starts, with 6 cars, over the course of 55 miles:  The winner averaged 7 MPH.