This past RSA was a memorable one for several reasons. First of all I was glad to see the security industry move off of compliance as its reason for being. Compliance had taken the industry hostage for too many years. It seems that we are now finally focusing back on security and preventing breaches rather than some least common denominator check box model. I think in the long run we will all be more secure for this.
Another thing I saw at RSA was the idea of security using virtualization. It is not just securing virtual environments, but it is using hardened virtual containers to run code and apps to make sure they are not malware and they can’t do any harm to our devices. These hardened virtual containers run on our devices or they can run in the cloud or anywhere in between. The important thing is they can’t (supposedly anyway) get to anything valuable on our networks. If this pans out, it could have a profound impact on the way we secure our data in every segment of the market.
Perhaps one of the biggest trends though was the realization that we are under attack by very sophisticated forces, perhaps even nation states who are using very sophisticated and highly organized techniques. The report by security company Mandiant on the alleged acts by a unit of the Chinese PLA codenamed APT1 was chilling.
The thing about APT attacks is that no matter whether you are a big company or small, government related or not, you are a target. Midmarket companies should not be fooled into a false sense of security that these attacks are not aimed at you. They are! If you have IP that could be valuable, you are a target. Manufacturing, media, technology and financial companies are all potential targets. Not to be an alarmist, but if you are not doing something about defending yourself against this type of breach¸ you are foolish.
The good news is that many of these attacks while they use 0 day attacks and other unknown exploits almost always start with a simple spearphishing attempt or something similar. Most of these attacks still take place because the weakest link is still the person behind the keyboard. In this regard security awareness training is still a strong tool. If you can afford a 3rd party to come in an implement a security training program, you should do so. If not there are plenty of web resources available that you can put together and make your own. So much of this is common sense about not clicking on links you aren’t sure about.
Of course there is no guarantee that even with all of the security awareness training in the world you will prevent an attack from being successful. That is why it is also important to have a plan in place for what to do when something happens. Don’t wait until something happens to figure out what you should do. Assume something is going to happen.
Planning for a breach is as important as trying to prevent a breach. Again this is as important for a midsize firm as it is for a large firm. In fact many security experts say that midsize firms are more of a target than some of the larger organizations. So again, not to be a scaremonger, but you should be planning this for your company right now. Again there are 3rd parties who can really help with this. IBM and their partners have lots of options. But there are plenty of resources available on the web that you can use to craft your own plan as well. Don’t let budget stand in the way of your preparedness.
I will write up some more news from RSA around BYOD, Big Data and the Cloud in my next report so stay tuned.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.