Organizations that aspire to be resistant to attacks and threats to their information systems should examine natural information protection strategies, strategies that have developed over billions of years of evolution under challenging and complex security conditions.
Information security in organizations is a central issue in any information-based system. The history of information protection in organizations is full of failures. In a blog recently published in Harvard Business Review, Rafe Sagarin reviews several strategies for securing information in nature:
Flexible boundaries: the general assumption is that information must be protected at all costs, and that is why we establish borders, barriers and firewalls ("firewall" - commercial software for protecting an internal organizational network) of all kinds, whereas in nature, boundaries between organic and inorganic substances, between different ecosystems and between Species are created, challenged, destroyed and rebuilt in an endless vicious circle, with the barrier only a temporary obstacle to the invader.
In the same way, the rapid evolution of cyber attacks has led to a rapid evolution of the various security mechanisms.
The conclusion is simple - modern organizations should adopt the basic assumption that almost all electronic information can be used as "open source", and work effectively in this situation.
Broad spectrum: the biological world is also a type of "open source" in the sense that threats are always present, they are often unpredictable and change frequently. As a result, investing in a defense measure suitable for a specific threat leaves the system exposed to other threats, and it is necessary to build defense systems against a wide spectrum of threats. Our immune system, for example, is prepared to deal with different types of viruses, bacteria, parasites, fungi and so on.
Those in favor of the "broad spectrum" approach against biological or chemical warfare, claim that terrorist/war events are a very small part of the risk, and that it is better to develop a broad defense strategy, which will also attack the response of the health systems. Such a strategy would enable protection against laboratory accidents and natural mutations that have the same effect, and not only against terrorist acts.
In the same way, cybercrime is a small part of the digital risk spectrum for an organization. The broad spectrum approach favors general vision over targeted protection, and redundancy over efficiency.
Redundancy: Organisms in nature, despite being limited in resources, have developed several layers of security. In DNA, for example, there are several codes for the same protein, so it is difficult for a virus to break the code and change it. Redundancy in nature as a security strategy is also expressed through relinquishing certain parts in favor of securing more necessary system parts, as can be seen in sacrificing the lizard's tail in order to protect its vital systems. Using this strategy in an organization can turn into an advantage, by sacrificing certain information in order to learn about the hacker's modus operandi, to prepare the system for the next attack.
Getting off track: Of course, the problem of information security has become very essential as a result of our increasing dependence on information. In nature, one of the strategies is simply to get out of the cycle of dependence on information. Various species in nature have deviated from their species, such as flightless birds, stingless bees and scaleless snakes. In the past we managed without information technology, and even today various organizations do not allow the use of smart phones, textual documentation of meetings and the transfer of information by email. A strategy that is getting stronger in many companies.
Prevents competition: in the depths of the sea there are various species that live in an environment completely devoid of competition. In this case, although there are savings in building security and protection systems, these creatures do not evolve or change. This approach can be appropriate in some places, but it is important to remember that without threats, constraints and competition, there will be no development, invention and progress - neither in nature nor in the organization.
2 תגובות
Two indirect comments.
It turns out that the biggest hacker in the world is the United States government, through the PRISM computer spying system whose existence was leaked by a man named Snowdon. Snowdon is today being persecuted by the United States and he is fleeing from country to country. Currently, it is possible that Snowdon will seek political asylum in Russia (which and China are probably the main victims of the computer espionage PRISM).
Another matter. In recent days, the United States government has announced that a CYBER attack will be considered from a military point of view as a conventional war attack (physical trespass, physical damage to facilities, etc.). Therefore, the United States government may respond with physical warlike actions to a CYBER attack that would significantly harm the United States; That is, the United States government will not limit its responses to CYBER countermeasures, but will consider itself the right to bombard, occupy, blockade, etc. any enemy that acts against it by cyber means only.
This article tries to link too much between the world of security and the world of biology.
There is no need to tempt hackers with a series of administration battles, and there is no need to yearn for security changes.
In my opinion, the only correct part of the article is that every secure system should be dynamic.