The August Scientific American contains an encouraging article for anyone helping organizations reduce information security risks: “How New York Beat Crime,” by Franklin Zimring. Many times it seems like the criminals are winning in the battle for security on the Internet. I lived and worked in NYC (Bronx, Brooklyn and Manhattan) in the 1980’s and 1990’s and vividly recall the many neighborhoods that were not safe after dark. It really seemed like the streets had been lost to criminals. My personal experience includes one apartment robbery and two car thefts. I still recall trying to drive off in my car after two of its wheels had been removed and the car mounted on cinder blocks. Now, however, I am hard pressed to think of an unsafe NYC neighborhood.
The story behind New York’s improvements can provide insight into how to reduce information security risks within enterprises, both law firms and their clients. The New York City story is that in less than one generation the rate for homicide, burglary and robbery dropped by 80%. While city anti-crime techniques are not directly transferable to enterprise security management, still there are some interesting lessons to be learned.
According to Zimring, a Berkeley law professor, a significant part of the drop in crime rates was due to increased police on the street. A second factor was the use of automated crime reporting, facilitating deployment of those police to “hot spot” neighborhoods. While these observations might seem obvious, there have been dozens of proposed crime reduction strategies, including the “broken windows” approach or strategies dependent on reducing drug use, to name just two.
In the information security realm, we can’t police our systems, but we can monitor assets for intrusions or insider attacks. We can set up protocols for monitoring security within our cloud vendors. We can and must deploy appropriate monitoring of physical access. Most organizations don’t pay enough attention to security monitoring. In fact it is one of the five fundamental security processes without which other security controls will not be effective. Monitoring is especially critical today, when many attacks take place over weeks or months (insider attacks or Advanced Persistent Threats).
The second step taken in NYC was the use of crime statistics. These statistics were real data and not just vendor supplied “fear, uncertainly and doubt”. Today there are many breach notification web sites from which real data can be taken. These should be analyzed and the information applied to your organization. Many major breaches today, of course, involve social engineering. For both corporations and law firms, managing this threat is a key to preventing outside attacks and insider breaches. The biggest deterrent is appropriate awareness training that is offered to each constituency in the firm. “One size fits all” training has little impact.
The good news suggested by the New York City experience is that we do not have to lock up all information to prevent data breaches. By focusing on real threats and including security monitoring in key areas we can make measurable progress, hopefully in less than 30 years. NYC car thefts are now down to one sixteenth of the 1990 levels; maybe I can park again within the five boroughs without losing my tires or radio.
