If your organization connects to the Public Internet then the possibility of being hacked not only exists but it’s a matter of “when” not “if” so concepts related to risk management should be the approach.
At its most basic level risk management offers three options -
- Transfer liability for the risk. This means instead of owning the risk it’s transferred to another party. An example might be that instead of driving to work you take public transportation. By doing so you lose an aspect of control but gain the advantage of not being responsible for something like a traffic accident. An example specific to IT might be the use of a software-as-a-service (SaaS) vendor for email instead of operating your own internal email server. The vendor is responsible for protection, backup & recovery of everything related to the delivery of message traffic while all you do as a customer is pay your bills. So as a customer when something goes wrong (and it always does) you say, “Fix it.”
- Mitigating the risk. This means putting policies & processes in place to mitigate the risks. An example might be to put a dead-bolt lock on every door in your home so that a stranger can’t just walk in. An example specific to IT is restricting access to data. This requires work on the part of management to identify important data and IT to put access controls in place to protect that data. Ideally Executives would like for a big red Stop sign to show on the screen of the unauthorized user as well as notifications sent to the IT Staff & Management informing them of the attempted access to restricted files. Yes, the big red Stop sign idea is real; I had a person ask for it.
- Accept the risk. As an organization Management has chosen not to spend the money or implement policies associated with an identified risk. Basically you’re ignoring the problem and this is what Sony did. You have to deal with the World as you find it. That means confronting the situation.
As more incidents happen and more importantly get publicized, the mindset of Executives and the organizations they lead will change from accepting risk to mitigating and \ or transferring it. As always there is a cost \ benefits analysis to risk management to determine what resources to put into mitigating risk or should it simply be transferred.
Oh yeah, don’t forget to include the concept of an insider attack to your risk management equation but that’s a subject for another time.