It is normal that when confronted by a problem, our immediate reaction is to find a solution. However, I was struck by a statement in a recent Kindle book by Phillip Ferraro (July 2016, $7.61) titled Cyber Security: Everything an Executive Needs to Know:
“How do we solve cyber security?” The answer is that cyber security is not a solvable type of issue. It is an ongoing and ever evolving business process. We want our businesses to be as innovative and progressive as possible. We want to provide as much convenience as we can for our customers, as well as our employees. Great advances in technology and science are allowing us to accomplish these things as we incorporate these new technologies. However, with these new technologies come new vulnerabilities along with new attack vectors by criminals. To stay ahead of the attackers is a constant and ongoing battle. For this reason, cyber security must be on the agenda of every board meeting.
Ferraro is an experienced CISO (chief information security officer) who knows what he is talking about. He has worked on security in the federal government, in the Department of Defense, the intelligence community, and the Federal Communications Commission, and has won many awards and accolades for his work.
There are at least four reasons why computer security (and by extension mobile security) is not a solvable issue:
First, as noted above, we live in a state of constant change. Constant change means that it is impossible to maintain fixed standards. And change is happening so fast that it is impossible for one person to be in charge of security and hope to keep up with this change. It is a team effort, and if possible, needs to involve every employee.
Second, in spite of best efforts at testing and quality control, new software always has bugs, some of which don’t show up until months or years after a program has been released. It’s just the nature of the beast. With bugs come opportunities for unethical hackers to find weaknesses in a program.
Third, computer hardware and software is complex, with millions of interconnections in play. One of the characteristics of complex systems is the emergence of the unexpected, phenomena that could not have been predicted, but will show up as surprises. These surprises are also possible vulnerabilities that were not foreseen.
Fourth, those people who want to do harm to a business, or a country, are often very creative individuals themselves, and have access to the latest high-speed technologies which they use to probe for vulnerabilities they can exploit. According to Mark Ward, BBC’s Technology Analyst, “Every day, come rain or shine, [hackers] crank out about 250,000 novel variants of viruses.”
Given all of these factors, it is impossible to once and forever solve security. Instead, CIOs and CISOs must have “dedicated resources to developing a rock solid cyber security program that will make your company a hard target.” All companies must have the basics of security, of course, such as difficult passwords, encryption, firewalls, and virus scanners. But, most competent hackers can break through those standard measures. Other steps include segmenting company networks, and making it much more difficult for hackers to find encryption keys. Given that most companies will get hacked at one time or another, speedy detection and removal of intruders is just as important as absolutely keeping them out.
Mobile security is one element of general computer and information security, but it is becoming increasingly the new focus of hackers because of the ease with which users share information about themselves and where they work, and the tendency to mix work and personal applications on mobile devices.