Although you might not think of the meat and poultry industries as juicy targets for cyber criminals, every company is a potential victim. Even yours. Maybe your attacker will be a disgruntled former employee. Or a competitor. A recreational hacker. An animal-rights organization. A nation-state targeting American companies. Or a bad guy going through you to get into one of your partners’ systems.
“Businesses underestimate the extent to which they are targeted,” reports Malwarebytes. The number of attacks on businesses recorded in the first 10 months of 2017 surpassed those recorded in all of 2016, according to a new report. The average monthly volume of attacks is up 23 percent.
And though we in the meat and poultry business are not on the top of the target list, we have a lot to lose. Our business systems are as sophisticated as anyone else’s, and our processing lines are increasingly digitized. A serious disruption could ruin product, harm employees, sicken customers, destroy reputations and devastate the business.
Security is an ongoing process, a strategy you execute not just once when you buy the required tech products, but every day through your employees’ and executives’ actions.
The case of the missing safe
Let’s look at security through a simple example. Consider a hardware store whose safe is stolen overnight, lifted through a hole in a thin roof directly above the safe, the same hole through which the thieves entered. No locks were broken, no alarms triggered. From these simple facts, we can assume the thieves:
- Had somehow learned of a building with a safe inside.
- Discovered the precise placement of the safe.
- Avoided the locks and alarms.
- Exploited a vulnerability: the roof.
- Committed the entire caper undetected.
- Might well have had the help of an employee.
Here’s how this simple example applies to your operation.
Don’t talk about your valuables
The first security failure in this story was the breach of information in which the existence of the safe and its location were disclosed. Although the vulnerability in the roof and the absence of alarm systems in the back office were oversights, the greater oversight was the owner revealing information about the safe to anyone, including his employees. Security is often as much about controlling information related to assets as it is securing the assets themselves. The lesson: Information about assets should not be decoupled from the assets in the context of security planning.
In our example, what assets were worth protecting? Was it the store, the merchandise, the safe or the cash in the safe? All of the above. The security “strategy,” such as it was, implies the store owner didn’t think beyond the store level. He did little more than protect the perimeter with locks and alarms, and even left some of that perimeter vulnerable.
Formulation of a security practice starts with knowing what to protect. Knowing what to protect starts with a comprehensive self-examination of your organization. Some assets, as we’ve just learned, are not as obvious targets as others. The lesson: Security is not just about protecting your servers, encrypting passwords or installing the best firewalls; rather, it starts with a true understanding of your assets, their value to you and their potential value to thieves.
Know thy enemy
The days when random hackers with generalized ill intent represented a majority of threats are long behind us. Most modern threats represent highly organized, persistent and well-funded groups that operate as for-profit businesses.
The key question to ask as an organization is, who exactly would be motivated enough to try to penetrate my systems? The answer to this question is different for each company that asks it. This is where threat modeling comes in.
Start by thinking about how your current security posture matches up against potential threat groups. For example, is your current organization prepared to withstand a long-term targeted attack by a nation-state? Do your employees know enough about your critical systems to be dangerous? Do you have intellectual property that might be of interest to your biggest competitor?
Score the opponent
The next step is assigning a relative motivational score to each threatening actor to determine how much effort he, she or it would be willing to spend to access one of your assets. Your attacker’s motivational level will be the strongest variable in your approach to securing any asset and will often determine your level of investment.
That’s why it makes little sense to evaluate IT security solutions until you get down to specific attackers. As cryptographer Bruce Schneier famously once said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Security: a practice, not a fence
As our story shows, an effective security posture requires more than a strong perimeter. Unaddressed internal vulnerabilities will fester, and evildoers will keep working to find a viable way in. What’s needed is a consistently applied practice of protecting your assets and resisting threats over time.
One great way to practice security is to build an internal team around this function. Another is to regularly challenge your plan’s effectiveness by hiring third parties to assail it.
Bottom line, obvious technology-centric security solutions (such as a hardware store’s door locks and alarms), while critical, address only the obvious vulnerabilities. Any self-respecting attacker would likely avoid them.
Rather, security must be an ongoing process. A complete, ongoing security strategy should incorporate a 30,000-foot approach of controlling information, identifying key assets, knowing who wants your valuables, assigning motivation levels and managing solutions accordingly.
Be like a vigilant rancher: Never stop observing individual animals in your proximity or scanning the horizon beyond your fence. Because we all really are juicy targets. NP