When the latest CIA cybersecurity breach was announced recently, people were thinking that the hackers are good. They broke into the CIA, the most sophisticated intelligence organization in the world. There are visions of wily hackers ensconced in some faraway land figuring out the latest code and encryption breaking schemes to crack into the CIA’s super-secret network.
The real story is very different and gives us a look into what we need to be concerned about in the automotive aftermarket industry.
The CIA breach was from a section of the CIA called vault 7 and contained sensitive data. This data was stored in what is called an isolated facility, which means there was no network connection to the outside world. Vault 7 was not on the internet, so a hacker could work on this problem all he wanted but can’t get to something he cannot connect to. So essentially this information came from an insider who was able to steal it and leak it to WikiLeaks.
This provides a clue to what is wrong with the dependence on IT departments to protect you from a cyber attack. It’s important to note that if this happened to the CIA, your company is certainly vulnerable.
It’s difficult for IT departments to stop an employee from stealing sensitive documents. No corporate IT technician is going to be able to prevent an employee from mishandling sensitive data, or shouting a password across a cubicle a coworker. This type of thing happens all the time.
Another problem is when an employee takes a corporate laptop with sensitive company information to the local coffee shop and connects to an open WIFI network where an opportunistic hacker can steal their information. Once again, your corporate IT department cannot prevent this.
Where Is the problem?
The problem is in process and procedures. Cybersecurity defensive technologies are very well built and evolving rapidly every day. However, these types of technologies will only help against actual brute force hacking type attacks. They will not save you from your own company’s missteps. And that is where the problem lies.
Say that your IT security person recognizes this problem and goes to the accounting department and says, “I want you to handle sensitive documents in a certain manner prescribed by a written set of rules to keep them secure.” The accounting department will have no authority to get this done, and hardly the inclination.