Avoid a hack: It’s not just about technology

MANILA, Philippines – The recent news of various Philippines government and private corporate websites being defaced by Anonymous Philippines, a hacktivist (hacker-activist) group, brings into mainstream media the state of cyber and information security in the Philippines.

If you were the chief executive officer/chief information officer of a company or government agency, one of the things that would worry you is waking up in the morning and finding your own website in the front page of online news. 

According to a Norton report, the global cost of cyber security breaches in 2011 amounted to around US$110 billion. These breaches come from professional cyber-criminal organizations, hackers and even hacktivists whose goal is not money but the thrill from the hack and the promulgation of their advocacy. It is just now, that Filipino websites/organizations are increasingly encountering the same threats.

The current solution to avoid or fix a breach is to buy anti-virus software and firewall to plug the security hole. Alternatively, they can also pour money into whatever security technology their favorite vendor suggests. 

This practice is not only costly but also insufficient. Technology can only protect your IT infrastructure up to a certain extent. An effective information security program involves a change of mindset, recognizing that a holistic approach is necessary to defend one’s vital IT assets — people, process and technology.

To briefly discuss the 3, technology is a combination of products that protect the IT perimeter such as firewall, anti-malware, intrusion prevention and detection systems, among others. Process is about putting in the necessary controls and setting up a formal Information Security Management System (ISMS) within the organization. And people means investing in your IT employees via information security training. 

Vigilance

This would include security awareness training for the entire organization — from frontliners up to the CEO. Organization buy-in is a must. The drive for operating in a secure environment starts from the executive in charge.

Security professionals call it a program exactly because it is a methodical and continuous process, not a one-shot deal. Constant vigilance is required for corporate cyber defenders as a hacker/hacktivist has all the time and the patience to probe for a weakness.  

It only takes one weakness in the system to create a breach. It is also a program because it employs the best practices and standards that various information security and application security professional have learned through the years. 

This expertise is guided by certifications issued by global organizations like the International Information Systems Security Certification Consortium (ISC2), who are advocating the professionalization of the next generation of cyber warriors.

The Philippines needs not reinvent the wheel for defending its IT infrastructure. Companies could hire employees or consultants with the necessary background and certifications to create a world-class information security program within the organization.   

As the famous quote from Benjamin Franklin goes, “an ounce of prevention is better than a pound of cure.” The best time to start securing your IT Systems is today. – Rappler.com

Rene Jaspe is a member of the Philipine chapter of ISC2 and the co-founder and CISO of Sinag Solutions. He has previously worked on projects for the US Department of Defense and NATO allies. Check his updates on twitter @ReneJaspe or you can reach him at rene.jaspe@sinagsolutions.com.