By Erin Monda, TMCnet Contributor
I recently had the pleasure of discussing cyber threats with Alastair MacWillson, the managing director at Accenture (News - Alert) Security Practice.
I asked him to share his insights on the network security issues facing A&D companies and his thoughts are as follows:
I have seen more genuine and widespread alarm about cyber security attacks and threats among corporate executives during the past year than in any of the previous 20 years I’ve worked in this industry.
In fact, the level of alarm has intensified considerably in the last 12 months—in some cases to astonishing levels--compared with only 2 to 3 years ago. This cyber security problem is spreading especially fast in the aerospace and defense industry. Cyber criminals see this industry as full of opportunities to do their damage and are aggressively moving into this arena. Equally disconcerting, neither governments nor industry are well positioned to respond. Paralysis has developed amid the growing threat.
In fact, too many corporations and organizations in the A&D industry are vastly under-investing in cyber security. They are not making the issue a strategic imperative by embedding cyber security into all their processes. So far they’re only investing in ineffective “smoke and mirrors” approaches, believing that the protections they have in place are good enough. But they’re not—not even close. By under-investing on various fronts, they are taking on more risk. To reach even adequate levels of protection, they need to invest a lot more.
Aerospace and Defense Industry: A Primary Target (News - Alert)
There are four key reasons why cyber threats are escalating particularly swiftly among aerospace and defense companies. The industry’s attackers are becoming more professional.
It has been many years since hackers progressed from being “script kids” to highly organized professional criminals. But while all organizations face this threat, A&D companies rank alongside government departments as the organizations most likely to attract attentions of well-resourced, and potentially government- or terrorist-funded, hacking groups. Organized criminals looking to steal and sell intellectual property assets would also put A&D companies at or near the top of their target list.
Escalating Innovation in Workforce Technologies
The broadening use within A&D companies of emerging technologies, such as Internet-based communication and collaboration via mobile handsets, creates cyber security challenges. Many security architectures still in place now were designed in the pre-Internet era. And—not surprisingly—they struggle to keep pace with risks. Furthermore, many of the entrants to the current workforce are habitual users of online applications that are almost impossible to monitor and control, such as social networking sites. Such entrants regard access to these as a personal right rather than a privilege. Clearly, anyone accessing such services via a device holding sensitive corporate data exposes the company to unwanted and unnecessary cyber risks.
The Increasingly “Elastic” A&D Enterprise
A&D companies are seeking to “do more with less” in IT and realize efficiency gains. In a globalized and interconnected world, these efforts inevitably include making increasing use of virtualization, and sourcing a widening range of services from external suppliers. These include potentially cloud-based providers based in lower-cost locations offshore.
The Industry’s Highly Interdependent Supply Chain
One of the A&D industry’s defining characteristics is the close integration and inter-reliance within the industry’s value chains, which often encompass a wide array of specialized activities carried out by various businesses in different countries. Some companies are “master integrators.” They act as central managers and coordinators of an industry supply network extending a long way outside the enterprise. In information technology terms, the effect is to create composite systems operated and accessed across multiple companies and organizations all along the supply chain. The weakest link in the supply chain will determine the vulnerabilities of these composite systems to cyber attack. So each company or organization faces risks centering on quality and effectiveness of its own cyber security, along with other participants in the supply chain.
So Specifically, What Should Companies Do?
For starters, be proactive. Companies should anticipate what new threats may challenge the enterprise, and which security elements can help to improve performance. Then they need to weave the right security features into the firm’s infrastructure and digital assets. Experiences of leading companies offer a set of five principles (see below) that have proven effective in guiding this type of initiative. They should look at cyber events in real time so can take action in real time. Regarding cyber security many companies remain in reaction mode. They need to get ahead of the curve by knowing what technologies to use and installing them, knowing what trends to track. Here are the five key steps:
Identify and Secure the IT Assets Themselves, Not Just the Perimeter
Effective cyber security starts by knowing what data and technology are essential to operations and business continuity. There should be a detailed plan to protect those assets and capabilities from being compromised, including a robust test of the plan to make sure it’s viable.
Build a Hard-Nosed “Culture of Security”
Many A&D companies do not clearly define where the oversight or accountability for cyber security resides. They may also find that management responsibility and accountability can be dispersed and fragmented. By contrast, A&D companies that exhibit a “culture of security” make responsibilities and accountabilities explicit. Such companies tend to view themselves as stewards, not owners, of personal data. They take actions to protect data entrusted to them.
Pay Closer Attention to Applications
Most applications were not engineered with security in mind, because developers assumed they would sit behind a secure perimeter. With that assumption no longer valid, legacy applications will eventually have to be re-engineered; new applications will need to be developed under a new security program paradigm. This is not just an issue for corporations. Many federal government agencies have adopted benefits of commercial off-the-shelf applications from software providers to support daily business operations and enable efficiencies and cost savings.
Check and Double-check User Identity
Effective identity and access management programs should create value by embedding pervasive security without sacrificing functionality and ease of use. Open-source protocols such as Opened, which allow users to log on to different services with the same digital identify, are starting to catch on.
Develop Acute Situational Awareness
Keeping ahead of risks means, first of all, understanding exactly what key risks the company or organization is facing across the whole landscape. This includes the supply chain and business collaboration network. Leading companies have developed vendor-management programs that make it possible for them to embed data privacy considerations and requirements in the procurement process and during delivery. Some of these firms have implemented auditing processes to test the providers’ security practices. If companies only react to suspicious activity, a recorded incident, onset of an attack or a malware outbreak, it may be too late. A company must also actively gather cyber intelligence and watch downstream activities.
Final Thoughts
Make no mistake: Network security has shot to the top of corporate executives’ priority lists. And it has risen especially fast in the past year. The reason is the biggest and latest trend in which the level of professionalism in cyber threats and attacks has risen to unprecedented levels. These are smart people doing extremely complex, tightly interwoven, and serious things aimed to harm, exploit, and manipulate.
A&D companies and organizations must invest to counteract this major set of problems now.
