Pratum Blog

One of the common phrases to describe an organization’s information security posture is the “hard crusty shell, with a soft gooey center”. Does this describe your organization? If so, you need to rethink the idea of creating internal security zones. It’s a given that you’re going to have a lapse in information security. Someone is going to penetrate through that hard candy coating and start nibbling on the succulent candy in the center of it all. The question is, how you stop them once they are in.

Internal security zones are essential to every information security architecture discussion. Multifunction devices, little Linux servers with no anti-malware, lots of services, no access controls, lots of storage…little hacker hideouts. Why would you ever need a MFD to communicate with the vast majority of your servers? Especially a database or ERP system? Maybe a file server or an email gateway, but not the entire server farm. Why should a customer service PC which only uses the web frontend to your CRM ever need SQL access to your database cluster? Why would your VoIP or voicemail server need to communicate with your terminal servers?

The answer to these questions is most likely, they don’t. So why do we allow this to happen? If we know there are systems that don’t need to communicate with each other, develop internal security zones to protect information. By doing so you’ll be able to create choke points during a data breach and slow the attack. You’ll limit the spread of malware. You’ll break automated routines that could lead to a loss of data. Internal security zones are critical to information security. If you’re not using them, you’re leaving yourself very vulnerable.

Your company spends hundreds of thousands of dollars each year on new or upgraded information security systems and software to combat a data breach. Technical teams spend their entire careers staying one step ahead of the hackers to ensure information security in your organization. Yet it all comes down to one bagel.

One Monday morning, a guy parks next to you and walks to the building with you. He has a bag over his shoulder, a bag of bagels in each hand and a security badge on his belt. You get to the door and badge in. What happens next? In most cases, you hold the door and invite him in hoping the new guy will offer you a bagel. You hate Monday mornings. Oh…and your company just suffered the beginning of a massive data breach. You were the victim of social engineering.

Physical security is one of the three primary control families used to protect against a data breach. Take extra care in forcing everyone in your party to badge in when you enter a building. I know it feels weird. In today’s world though, it is one of the only ways to stop targeted attacks. Social engineering is a common occurrence in the data breach landscape we face today. If you take information security seriously, you should also take physical security seriously.

The role of the board of directors for any company is to help a CEO with his blind spots and provide oversight. As a board member, do you want to suffer through a data breach because of an information security blind spot?

Information security is a blind spot for most corporate executives. It’s even a blind spot for many CIOs and CTOs. The smart and humble ones will admit it. How many humble CEOs and CIOs do you know? How many are willing to readily admit they are severely incapable of identifying the risks in an area so vital to your organization?

A good board of directors should require an external security assessment just like they require a financial audit. An external information security assessment shouldn’t be seen as a critique of the CEO; rather as a way to help protect them and help them identify potential blind spots that occur. The blind spot could even be from one of their most trusted advisors, their own CIO.

The board’s foremost duty is to protect the organization from the failure of a leader or a flawed system. Ensuring that information security is properly addressed will help lessen the risk of a data breach that will be much more costly than the security assessment.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.