“Are you making it too easy?” was the fundamental question posed at the Toronto launch of a countrywide Dell Security Tour that has taken keynote speaker Michel Juneau-Katsuya and a panel of security experts to Ottawa, Montreal, Halifax, Quebec City this month, and is now moving westward to Edmonton, Calgary and Vancouver.
CEO of The Northgate Group and former senior intelligence officer with the Canadian Security Intelligence Service, Michel Juneau-Katsuya drew on his long term experience in intelligence to alert the event audience to what he described as “the most important national security issue [after terrorism] in the world today” – corporate espionage. Juneau-Katsuya’s research into losses to corporate spying demonstrated in 1995 that Canada was losing 10 to 12 billion on an annual basis, while the US losses were in the range of $24 to 25 billion. So while the US is approximately ten times the size of Canada in terms of population, Canadian losses were half – a measure of our vulnerability that Juneau-Katsuya attributed to the fact that Canada is a knowledge based society with a relatively high investment in R&D per capita, that also has a seat at “a lot of the tables” in international organizations. He also intimated that Canada is a prime target because we are not terribly well protected.
In Juneau-Katsuya’s view, global economic confrontation has (thankfully!) eclipsed military confrontation; however, there are now many more actors on the stage. Friendly nations and emerging countries are in on the cyber espionage game – one CSIS study established that 115 countries out of a total 196 have practised cyber espionage. This is now possible because large intelligence programs like the CIA’s is no longer required, and since “nerds in the back room” can mount effective attacks, the return on investment is considerable. Stealing information costs a lot less than developing your own research, he added.
In addition to outlining the magnitude of threat in the current landscape, Juneau-Katsuya also offered some tips on how enterprises may reduce their security risk. Surprisingly, technology is not necessarily first on the agenda in his schema. That spot is reserved for business culture, which is enjoined to rethink the strategic importance of security, and transform it from a cost centre or defensive mechanism to a “business reflex.” While technology is a critical piece in protecting company assets, a human being is typically behind an attack, and though security is not covered in the typical MBA program, Juneau-Katsuya argued it should be as every business has a website and is represented worldwide – and hence exposed internationally. This applies equally to the SMB, he argued, which in Canada accounts for 90 percent of economic activity and 80 percent of all R&D, but often cannot afford the highly paid security consultant. To help integrate the security perspective as part of doing business, Juneau-Katsuya advised:
- Managers need to build security awareness. It’s very easy for any threat agencies to carry out their tactics, and no one is too small to be targeted.
- Attacks come in various forms, and in some cases, may not represent illegal activity.
- The Bank of France approach is best: “trust is good, but control is better.”
- Insider threats – from the “wolf that is already in the barn” – means security should start at employee hiring and HR should be involved. “Your company’s biggest risk is everyone in it.”
- Security is more “about a posture” than expense. An easy threat and risk assessment has three major components: threat to, plus threat from = vulnerability assessment, an equation that can help businesses optimize their security budgets.
- There is often a wide gap between a real and a perceived threat. Outside expertise may be needed to help a business understand the difference.
- With “MISE” – Money, Ideology, Sex or Ego – a spy can get anyone to work for them.
(For colourful detail on Juneau-Katsuya’s “five threat agents,” see the video at the end of the article)
To explain the role of technology, event organizers invited other security experts from Dell to describe the broad array of security solutions that are available to help, as panelist Bill Evans from Dell Software put it, “remove the consultant that takes three weeks at $2,000 per day, and do it [protect business assets] with technology in four hours.” According to Evans, security and software are big business at Dell, accounting for $1-2 billion in revenue on an annual basis. One reason for the success of this growing business is the company’s broad scope: unlike many other security vendors, Dell has capabilities that stretch from the enterprise perimeter to mobility and access management and to the cloud. These security portfolios were represented on the panel by David Mortman of Dell Enstratius, which provides security and governance management for clients using cloud services like Amazon, Claudio Damasco of Dell SecureWorks, which offers managed security services as well as threat intelligence research based on monitoring the “Kill Chain” that is used to proactively alert clients to particular vulnerabilities, Asif Savvas of Simeio Solutions, a partner that has used Dell’s identity and access management solution to create “Identity-as-a-Service,” and Manny Dhilon from Dell SonicWall, which has developed next gen firewalls that enable unified threat management, composed of anti-virus and anti-malware software, intrusion prevention, URL control and deep packet inspection. With this broad set of capabilities, Dell believes it is possible to address threats from wherever they emerge and is working on integration of various solutions to provide event better protection – to remove problems associated with “security in silos” that Evans argued is the greatest technical challenge.