When most companies think of digital security, they think of protection from external threats like DDOS attacks, malware, and fraud. But a recent security briefing put on by Canadian information security group Seccuris suggests that many companies are more vulnerable from the inside.
Paul Card, director of research and development at Winnipeg, Manitoba-based Seccuris Inc. spoke at Steamworks Brewpub on Wednesday, March 19 about what both small and large companies get wrong about digital security.
Card said it's all about learning who within your organization you need to keep an eye on.
"It's one of the open problems about IT security, usually because once you hire someone, you do your background checks and your reference checks and then you implicitly trust them from then on," he said "What we've done is a whole bunch of analysis on email traffic, and trying to use email traffic to see what we can learn about what's happening culturally in the organizations."
Seccuris provides consulting services to businesses on security architecture, threat assessment, and risk management across Canada and the United States, and partnered with American security group Varonis and software company Entrust for the Vancouver security briefing.
"We've done quite a few presentations," said Ben Hui, a solution architect for Varonis. "Around town we usually do the conferences, like ISACA. We've been in attendance for quite a few of the Reboot events that have been in town as well."
Seccuris has put on public events to inform people about the risks of insider threats for the last four years, and Hui said Varonis does between 6-12 events a year on the risks of unstructured data, and plans to do more talks in Vancouver throughout the next 3 weeks
According to B.C. minister of advanced education Amrik Virk, the province has over 9,000 technology companies. For criminals looking for tech companies with weak internal security, B.C. might appear like a good place to look.
"If an organization understands the risks, then they're going to look for solutions to help mediate that risk," said Hui. "There are lots of different techniques to do it but I think the best way is through analytics. What analytics allows us to do is provide insights."
Hui outlined five questions that are the most important things to ask when it comes to digital security.
"The first one is: do you know who has access to your data? Do you know what they're doing with that access? Do you know who should have access to the data? Do you know who the data owners are? And the last one is, do you know what data is considered sensitive?"
"I think often people don't match the solution to what the business needs are, which is probably the biggest gap," said Card. "There's no one in the industry doing some of the stuff I'm doing."
"No one but the NSA," he said. "But I couldn't comment on that"
