home Software Applications What’s really plaguing cyber security?

What’s really plaguing cyber security?

Jan 26, 2015

This post is also available in: עברית (Hebrew)

It’s exactly the same as with car accidents. The problem with cyber security is enforcement. There are many law, lots of regulation, plenty of talk and good intentions. Nevertheless, at the end of the day, the problem is all about enforcing these laws and regulations. Who enforces them? Well, the answer is practically no body, and therein lies the rub.

In an interview to i-HLS, GRSee Consulting CEO Ben Ben-Aderet, we asked him what, in his opinion, was the main problem currently plaguing cyber security. His reply was unequivocal: “enforcement. Those who ultimately determine whether to meet the standards, when they are there, are the clients,” he explains. “The Standards Institute is not in charge of enforcement. Furthermore, when you do not have a regulating body to set standards and terms, it all falls on the customers’ shoulders.”

Ben-Aderet’s replies throughout, attest that even when you do have regulation concerning IT (Information Technology) security, this regulation is not always effective. “Some companies’ turnover is estimated at hundreds millions of US Dollars or billions of New Israeli Sheqels. The fines they get for breaking their respective promises reach a few hundred thoudand Sheqels,” he reveals. “Economically speaking, on the short run they are better off breaking their word and paying the fine. So whether they will meet the standard or not depends on the standing within the company of the deputy CEO for legal matters and the Chief Technical Officer in charge of IT systems, who know it falls under their responsibility,” Ben-Aderet explains.

Over the years, Ben-Aderet’s company expanded its business into cyber services and cloud security. “In the case of cloud, as with most cases, legislation lags far behind technological development,” notes Ben-Aderet.

“There is an initial publication of iso, but the rules are very abstract.” Delay in legislation also has much more far-reaching business ramifications,” elaborates Ben-Aderet. “If an organization want to transition to a cloud, they are bound to IT Security regulation. There is a good change they won’t get approved.” By way of example, he notes that “When Bank Leumi took their CRM to cloud, they needed Israel’s Bank Commissioner to approve this. Otherwise, they would not let them do it.”

Nevertheless, using cloud services is a fact, and it is going to expand in the years to come. “Even organization which consider themselves completely cloud-less, do have some presence there, either through Shadow IT or in the form of employees who enter their drop-box account and with a touch of a keyboard key introduce a security breach,” he explains.

In the absence of regulation, Ben-Aderet recommends adhering to IT security standards in the net – in addition to the existing cloud standards, rather than rely exclusively on the security delivered by the cloud service provider. According to Ben-Aderet, “providers are compiled to meet the standard, PCI, and SAS-E16.” He also notes that “the customer is usually incapable of checking whether the provider meets their commitments. The bare minimum is to make sure you relay the cloud strictly encrypted data, and make sure the compartmentalization between it and other customers of the same cloud provider is maintained.”

Whether IT security experts like it or not, Ben-Aderet believes ’the cloud is here to stay’, and that people, businesses and organizations need to learn how to work with it and secure it. “There is nothing you can do,” he says. “You cannot go against the cloud.”