You arrive home after an enjoyable evening out. As you approach your house, you hear a noise that appears to come from around the back. Quietly, you step around the back and, in the gloom, you see someone at your back door who seems to be engaged in an attempt to gain entry. “Who’s there?” you call. The man turns; his face is covered. “Don’t worry, my friend,” he says cheerily. “I’m an ethical burglar just checking the security of your house.” He scoops up a bag lying next to his feet and scurries past you. As he passes, he turns and says, “By the way, all seems pretty good”; and with that he vanishes into the night.
What would you think? Is it ‘ethical’ for someone to try and break into your house without your knowledge?
There are some people out there who seem to think that, morally and ethically, it is fine to break into other people’s systems to ‘test’ their security. Recently, the NHS apparently suffered such an assault http://www.telegraph.co.uk/technology/news/8567008/Fears-for-patients-data-after-hackers-hit-NHS.html#disqus_thread. The ‘hackers’ even suggested, “We mean you no harm and only want to help you fix your tech issues”.
Other recent data breaches (Sony Playstation, Nintendo) have shown that all types of organisation are prone to attack, although it is probably the larger more well-known ones that will suffer most. Even the IMF has been targeted http://www.telegraph.co.uk/technology/news/8570957/IMF-computer-system-targeted-by-hackers.html.
Are these kinds of attacks ethical? Is it right for a group, or groups, of self-styled ‘security’ experts to brazenly try and exploit an organisation’s defences? The moral and ethical questions are probably pointless. These sorts of attacks will occur, so long as we have the Internet and clever people that use it.
So what should be done? Well, each organisation must protect itself so far as it can. Data should be assessed to determine the risk to that data. If the risk of attack is high, then it needs to be protected. One such method is to encrypt the data. Handling and classification of data should be unambiguous, and there should be clear rules for staff to follow. Perimeter defences for the network should be checked. One very effective way of testing such defences is to use Penetration Testing. One such example is https://www.itgovernance.co.uk/penetration-testing.aspx.
Ideally, Caesar’s maxim should be exercised (“the best form of defence is attack”). However, the spread both geographically and numerically of such hackers probably makes this very difficult for most organisations to contemplate. Thus, the only way to protect yourself and your vital data is to make sure your defences are watertight.
Make sure your staff are trained to spot potential attacks. Make sure they know what to do if anything suspicious happens (e.g. a suspicious e-mail is received). Make sure they know of, and follow, the rules you have set for them to protect data.
Most of this is common sense; however, when did common sense stop a hacking?
If you would like to discuss any aspect of this article, then please contact IT Governance on +44 (0) 845 070 1750 or e-mail firstname.lastname@example.org. The website is https://www.itgovernance.co.uk.