The world of IT security is in chaos, with CSOs seemingly on the front lines of a full scale global cyberwar being fought out by government hackers, botnet-controlling criminal gangs and compromised Web sites. Can we ever hope to keep networks safe in such an environment?
Accusations of government-sponsored hacking have been flying in recent weeks with the US, UK, Germany, and most recently, New Zealand, claiming to have been attacked by hackers that allegedly work for the Chinese government -- charges denied by the country itself.
Meanwhile, Storm worm has also been in the news with security researchers debating whether the botnet controlled by the worm, which is estimated to contain between one and five million infected PCs, could be used by criminals as a massive distributed supercomputer, potentially packing the power to deliver massive spamming campaigns, knock out targets with a DDoS attack and even use a SETI@home-style operation to crack very strong encryption, very quickly.
It is not just the hackers, spam and DDoS activity we need to worry about. These days it isn't even safe to simply surf Internet because there is no way of knowing if a Web site has or hasn't been compromised -- take the IE-exploiting Facebook ad, for example, or the Sydney Opera House Trojan.
These are legitimate sites and yet people have most likely put themselves at risk by simply visiting them.
So how do you go about protecting your organisation in such a hostile environment? According to Graham Andrews, the CIO of PricewaterhouseCoopers, the task is "a nightmare".
Andrews believes a company cannot be truly secure if the responsibility for security is pinned on one person or one department.
"Security is everybody's problem. The core ownership of security is throughout the organisation. Not just within the IT group but in the user community so they are fully appreciative of the risks out there," he said.
When security is the responsibility of just one department, "you have already lost the game," said Andrews.
Andrews is spot on. Ensuring everyone in your organisation -- from the developers to the doormen -- are aware that the only way to reduce the chance of a security breach is for everyone to play their part.