Much has been written about Heartbleed and the speed at which various companies have reacted to it. Notably, the Canada Revenue Agency (CRA) closed their online portal for some time and lost hundreds of Social Insurance Numbers. It was also revealed that the NSA has been using the bug for over two years to get (no longer) encrypted traffic.
The issue that Heartbleed has is not unique. Much of what powers the internet has bugs that allow an attacker access to your private information—we just don’t know what those bugs are yet—and we will always exist in this state.
Computer security is not like physical security. Adding extra layers doesn’t necessarily help and no matter what you do, if someone has physical access to the machine it must be treated as compromised. The Snowden revelations show that there is no denying it anymore—we live in a world where very sensitive … Continue reading “What businesses can learn from Heartbleed”
Good cybersecurity means good info governance
Cybersecurity: the word conjures up images of software engineers in lab coats feverishly analyzing cryptographic code in an effort to thwart an attack from a country somewhere on the other side of the globe. Seemingly daily reports of major data breaches are now coupled with warnings about a cybersecurity “talent gap,” meaning that there is a critical shortage of the highly technical professionals in the workplace who are specialized in cybersecurity.
This is true. However, much of the work necessary to protect business data does not fall within the purview of the technical cyber-specialists. The foundation of any good information security program is good information governance. In short, before you secure your data, you have to know your data. You have to know what data you have, where you have it, why you have it and how you use it. This may seem like a seductively simple task, but often … Continue reading “Good cybersecurity means good info governance”