Stuxnet is a special type of computer worm that spies on and reprograms industrial systems used to control and monitor processes. First discovered by VirusBlokAda, a security firm based in Belarus, in June 2010, Stuxnet targets specific industrial systems. According to Symantec, nearly 60% of all systems infected by Stuxnet are located in Iran. Many people are wondering whether it was developed to damage Iran’s nuclear facilities.
Whatever the reason for its existence, such a worm, with potential to destroy navigational systems, oil refineries, medical facilities, and mining systems, does have implications for your business. Organizations are integrating operations with the web due to its speed, efficiency, and cost reduction. This exposes firms to digital terror, digital fraud, and intellectual property thefts. The solution is not to decouple from the cyber community, as some have suggested. Ratherm businesses should develop a holistic strategy that mitigates these threats.
During my days as a bank IT infrastructure administrator (certified in Microsoft and Cisco security technologies), I developed security guidelines for firms and individuals. Let’s look at some of them under the shadow of Stuxnet:
Establish IT Security Policy: Regardless of your company’s size, have a policy that protects your firm’s digital assets. You can’t tell if your policy is working if you don’t have one.
Train Your Staff: Threats mutate daily; your staff needs to keep up.
Make Your Staff Partners: This is perhaps the most important one for financial institutions in particular. You must ensure that you have ethical and honest work teams that are dependable.
Under Industrial Espionage: Assume that your firm may be under attack; that make it more likely that you’ll develop ways to stop it. For example: You’re at a conference. Those flash keys your competitors give you to load an innocuous academic paper from your work laptop could reveal far more than that paper.
Get Data or Processes off the Web: Not all machines have to be online. Build a network that creates a cushion between your most critical server and the web. Have a redundant server between your critical data and the web so that any attack will first hit that redundant one. Decouple most industrial processes from the web.
Backup: Never assume that the computers will be working. And when you backup, use a protected storage device. Small firms should choose password-protected flash-memory keys. Big firms can rely on encrypted tapes. Banks in particular should move their backup off-site, in case of natural disasters.
Use Bank Vaults: When I came to the U.S. from my native nation, I used bank vaults for my important documents. If your small company does not have a secure place to store backups, consider a bank vault.
What are you doing to keep your data and systems secure?
Author: Ndubuisi Ekekwe
Originally published in Harvard Business Review