Corporate IT, Security Teams Need to Put Aside Mutual Distrust

Andrey Pozhogin, a senior manager at Kaspersky Lab, said that companies in general have come to realize that corporate IT and security teams have to work together because of the nature of the threats that companies are encountering.

He mentioned the growing battle against ransomware as an example, where the IT staff now finds that without help from the security staff, they won’t be able to prevent ransomware attacks nor to recover from them if they happen.

However, gaps between IT and security still happen when one part of the equation doesn’t think about the fact that it affects the other. Kevin Coffey, senior business development executive of Censornet, related a story that illustrates it perfectly.

Industry view

He said that he’d encountered a company that had found itself the victim of a data exfiltration attack in which the hackers had been able to gather huge quantities of data from the company’s sales records.

What had happened, Coffey said, was that the company had a new soft drink vending machine installed and because the machine had both a credit card reader and was able to automatically order replenishment, it was connected to the company network. What nobody thought about was that the soda machine, like most IoT devices, had no security.

When the security staff discovered that data was being stolen from the company, they learned that data was first being copied from the company servers to the soda machine enabling the hackers to transfer the data to their own servers.

This happened because there was no coordination when the soda machine was attached to the network and nobody realized that the machine should be put outside of the company firewall, separate from corporate network. And, of course, nobody was monitoring the data transfers from the soda machine because it was, after all, just a soda machine.

Learning lessons

While the story of the smart vending machine can illustrate a security lapse, it doesn’t necessarily motivate the company leadership to do anything about security. But other events sometimes do.

Several of the security vendors I spoke with said that what got their upper management and the IT staff to start worrying about data security was stories of major distributed denial-of-service attacks such as the recent DynDNS attack or the seemingly endless stories of ransomware attacks, especially the stories in which the attackers kept the money without delivering a decryption key or repeatedly attacked the same company, knowing that they would pay up each time.

While the gulf between IT and security still has a ways to go before it’s closed, the one thing that appears to be happening is an understanding of the needs each group has for it to do its job. This can lead to a level of cooperation that is necessary for organizations to have meaningful security. And meaningful security is a huge step in the right direction.

Quiz: What do you know about cybersecurity in 2016?

Originally published on eWeek