News of data breaches and cyberattacks unfortunately comes as less and less of a surprise every day. For many IT professionals, they are common occurrences that can enact costly, devastating damage.
Learn more about cybersecurity prevention and response in the legal and IT fields with a white paper from Sync titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.
Michael Higgins, director of information security and CISO for Harris Corporation, strives to never lose sight of this fact. And because Harris provides advanced technology-based solutions to government and major commercial customers, its concerns over data protection and security are even more critical.
The scope of the threats the company faces is staggering. First, there are state-sponsored advanced persistent threats: attempts that target innovative solutions that would help close technology gaps between less-developed countries and the United States. “We track and monitor dozens of attacks on a daily basis from more than seventy different groups. The entire defense industrial base sees thousands of probes every day from hackers who are employed by foreign governments to look for vulnerabilities,” Higgins says.
Secondly, there are the common criminals whose goals are strictly financial. They might generate one million emails in order to access the tiny—but highly lucrative—percentage of recipients who will reveal confidential data or click on a malware link. Higgins says that these are massive sweeps seeking vulnerabilities, as opposed to state-sponsored efforts that persistently target individuals or organizations with access to highly specific information.
As the Edward Snowden case demonstrated, insider threats now demand even more attention than in the past. Structures must always be in place to guard against individuals who intentionally access data with plans to steal, sell, or distribute the information. But safeguards must also be sensitive to unintentional incidents, such as when an employee unwittingly falls victim to a “spear-phishing” attack—clicking on an innocent-looking link that downloads malware or accesses confidential information through stolen credentials.
Adding to the threat is the consumerization of technology, which has created a much broader attack surface to defend. Critical information is now spread across multiple portals, smartphones, laptops, and cloud-based networks that create potential openings. “All of these innovations are part of our daily routines and increased productivity, so we can’t simply say ‘no’ to using them,” Higgins says. “Our challenge is to find protocols that integrate with existing workflows and still provide adequate and appropriate security controls.”
“All the tools and policies in the world won’t protect you if you don’t have people who can evolve along with the hackers and stay one step ahead.”
With such high-level security at risk and so many potential threats, it might be surprising to hear that Higgins does not have an information-security background. “I’m not a subject-matter expert on firewalls or application coding, for example, but I’m very skilled at identifying the people who are and bringing them in to contribute,” says Higgins, who was trained in electrical and systems engineering. “These people’s participation ultimately ensures that we end up with the best possible solution as a result of having engaged the highest level of expertise along the way.”
Higgins also contends that his approach can save time and money. By actively assessing the likelihood that a specific risk might occur—rather than applying blanket best practices by rote—he can avoid the implementation of unnecessary, or ineffective, protocols.
In addition to this somewhat unorthodox strategy, Higgins relies on tools, talent, and tenacity to create the best possible security measures. Some of these tools automatically monitor network traffic for known threats as well as activity that may create vulnerabilities. Analytics play an important part in developing a baseline for user activity and identifying anomalies, such as when an individual downloads an unusual number of files, or is active at an odd time of day.
“Talent is another critical element,” Higgins says. “All the tools and policies in the world won’t protect you if you don’t have people who can evolve along with the hackers and stay one step ahead. Otherwise you’ll always be bringing in resources only after you realize adversaries have already succeeded in compromising the environment.”
Tenacity, meanwhile, is essential for critical ongoing tasks like patching operating systems, developing updates for viruses, eliminating false positives, and identifying even the tiniest potential vulnerabilities. Constant training—based on Harris’ slogan, “security is everyone’s business”—is one of these critical activities. “In addition to reinforcing secure technology habits, training in safe behavior maintains awareness of the real costs security breaches have to the company. It’s much more effective than fear tactics, which are only effective in the short term,” Higgins says.
The 2015 “US State of Cybercrime Survey,” conducted by PwC, found that companies without training lost an average of $683,000 per security incident. That’s more than four times higher than those with training. Harris’ efforts include weekly tips, annual training updates, an “easy” button for reporting suspicious emails, and internally generated spear-phishing programs to monitor employee responsiveness.
As threats evolve, so does Higgins’ anticipation of them. One crucial tactic that he maintains is identifying and working with emerging companies that are nimble enough to customize niche solutions to fit Harris’ existing systems—and address specific gaps that legacy vendors do not.
As Higgins looks at areas like analytics and the cloud environment, he maintains a zoomed-out perspective and remains on his toes. “We always have to find ways to balance the productivity of innovative technologies with their use in a secure manner that doesn’t increase our vulnerabilities,” he says.
Even with those kinds of challenges, Higgins points out how exciting it is to do the work he does. “I get paid to learn about the latest threats and to work with a team of extraordinarily bright people using the latest tools to architect cutting-edge solutions,” he says. “There are very few jobs where you get to come to work and literally play chess with your enemies on a daily basis.”