600_fm010604-top-dark4 It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night.  You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility.  In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’  They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond.  At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious.  This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime.  They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach.  Their biggest wish was for end users to be smarter about security and understand the risks.  Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd.  They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders.  Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations.  Verizon concluded that breaches which warranted public disclosure were primarily done by external sources.  I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless.  So the fear was Insider threats yet the actual data implicates outsiders.  I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.” 

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence.  There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help.  Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming.  The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry.  The other side is that sometimes perception is more important than reality.  With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation.  In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality.  My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control.  So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays.  Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security.  Yea, we made it!  But wait, there’s more.  Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic.  Should be fun.