By the nature of their business, aerospace contractors have always maintained a close relationship with the Department of Defense. As a result, these companies are required to maintain compliance with DoD information security policies and procedures, including a policy of regular audits and security assessments. These audits are taken very seriously. Failing could lead to lost government contracts, a permanently damaged reputation, and possibly the eventual death of the business.
This strict adherence to security is not just for show. Consider the following:
In 1994, systems belonging to the U.S. Air Force and aerospace contractor Lockheed Martin were compromised by a 16-year-old and a 21-year-old over dial-up Internet. More than 100 users email messages were read and copied onto a remote system, classified defense research data was downloaded, and the compromised systems were then used as gateways into other government systems.
In 2002, a Scottish systems administrator named Gary McKinnon was accused of compromising 97 computers belonging to the U.S. military and NASA, shutting down more than 2,000 additional computers for more than 24 hours, and downloading numerous classified files. The cost of the investigation alone for this incident exceeded $700,000. The hackers motivation? To uncover evidence that UFOs really exist.
Fast-forwarding to today, the major information security threats to DoD aerospace contractors come from nations potentially hostile to our national interests. Cyberespionage is a real threat. Imagine if vital data fell into the hands of another nation simply through a malicious email attachment.
While it may be impractical to assume that every business should comply with DoD information-security practices, small businesses especially need to learn a thing or two from standardized information-security practices:
1. Identify your Assets. Whether you are building missiles or selling sweaters, your business has some sort of information assets that need protected. Are you storing credit card numbers? What about customer contact information or the companys own financial information? Create a list of all possible information assets, being as specific as possible. If something cant be identified, it cant be protected.
2. Develop a Plan. The next step is determining exactly where these assets are located and how to protect them. Who has access to this data? What systems are used to access it? How are these systems secured against intruders, and how are you prepared to respond in the case of an incident? By identifying all the open doors to your assets, you can start closing and locking them.
3. Take Action. Put your plan into place. Have your IT team install the necessary software and hardware, and educate your employees on the new policies and procedures. More importantly, enforce violations of those policies. If your employees do not take security seriously, security will not exist.
4. Reassess, Refresh. Arguably the most important step is making sure that plan is working, and allowing for its continual growth. Have your own internal audits, or hire an outside information security team to make an assessment. Threats change every day to adapt, security needs to be a growing and evolving set of practices.
Neal Custer, president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. Adjunct professor at Boise State University. firstname.lastname@example.org. Written with Reveal information security expert Dylan Evans.