The bulk of the iceberg is hidden below the waterline where it lurks, ready to sink large entities like the Titanic and corporations. One of the most recent news items about data security ‘icebergs’ involves incorrectly configured web servers located in a number of prominent organisations. The systems at risk were identified by ethical hacking. The method was to search Google for a word combination that would indicate that the system in question was not configured correctly. US consultant Bryan Seely claimed to have pinpointed 25,000 websites in this way, corresponding to between 400 and 500 business entities. But there’s more than just one dimension to a data security iceberg.
Configuration problems like the one that Seely uncovered, bugs like the recent Heartbleed bug and malware infections of large retailing businesses have all made the news in recent times. That should trigger a reaction among IT departments and data security officers to check if their systems could be compromised in the same way. After all, if one person can find 25,000 sites potentially at risk, it’s likely that there are others too. But while it’s essential to keep systems correctly updated and apply corrections in a timely way, these actions are still concentrated on the visible problems. That leaves the invisible ones.
Enterprises and organisations should navigate in ‘iceberg’ mode wherever possible, and be prepared to ward off hidden dangers too. Smart data security thinking includes doing your own hacking (ethically, of course) of your business to see how would-be attackers might get in. It includes being suitably suspicious of any configuration that could harbour security threats such as advanced persistent threats (APTs), being firm about staff information security awareness and having a thick skin for any comments that you might be overdoing things. Remember that with the menaces around today, both online and offline, it’s wise to be extremely prudent in how your business data is stored, accessed and secured.