“Whether it’s a trusted insider betrayal, through blackmail or naiveté or a result of remote recruitment”, people are your main threat. “Scientists say people are more willing to share secrets online than anywhere else, and Americans fall for social pressures [social engineering] time and time again”.
It only takes one individual in thousands to betray our government, “and that one individual only needs to get it right once. One betrayal can cause loss of life, loss of profit”, he explained.
The unintentional insider threat is also a big problem, especially when your staff are mobilised and travelling abroad. Mullen gave the following advice for minimising the risk:
- Never lose sight or physical control of your device: “It surprises us what people put on their devices that they don’t need to take with them”
- Never accept files
- Never use local services
Mullen described his career as “playing the offense.” You can have an active offense and know a lot, he explained, but “if you don’t apply it, you’ll be beat.” While Mullen described offensive operations as “dynamic and constantly moving”, he labelled static defense as being vulnerable to “defeat over time”.
Having defined the information security challenges, Mullen declared risk management as the strategy that will “protect your organisation, your IP, your ROI and your networks.” Security programs, he admitted “are not easy and they don’t generate revenue, but they’ll protect your longer-term visibility and revenue.”
The CIA often sees organisations trying to shave money from the security budget. “People are trying to protect their profits, but you need to protect what gives you your competitive edge”, he advised. Protecting information is inconvenient, but you have to consider what you can’t afford to risk. “Security and risk mitigation has to be a part of everything you do before you do it.”
“Cyber-attacks are ongoing, security technology fails, people are naïve and people may betray your company”, he said bluntly. “So identity the one thing that is most important to you and put resources into protecting that. You have a better chance of survival if you do that.”
Besides risk management, Mullen’s other significant advice for organisations is to “get as many people around the table as possible when discussing a new technology process”, with representatives from all parts of the business. “In CIA we do a pretty good job of this”, he concluded.