An IT security lesson from 390 BC

IT security may seem like a very modern and specialist topic, but its core principles are ancient and not IT-specific at all. That is why a 2,400-year-old event can expose two major IT security problems that are found with a majority of companies today.

Let’s go back to 390 BC. The Roman Republic is experiencing some of its darkest hours. Gallic leader Brennus has just led his troops to victory over the Romans at the Battle of Allia River, and is now heading for the Eternal City. Most of Rome’s inhabitants have fled to the well-defended city of Veii, but the remaining soldiers have retreated to the citadel. Situated on Capitoline Hill, which has sharp cliffs on all but one side, the citadel seems impregnable. The only accessible side is fortified and defended heavily, and after averting the first Gallic attacks, the Romans feel confident their defences will stand.

Hoping to be relieved by forces from Veii, the Romans send out a messenger to the citadel. He departs via a little unknown trail down the unguarded north side of the hill. But he is spotted by Brennus’ men, and they immediately plot to use this secret path against the Romans. The next night, they silently climb up the north side. As the first men reach the top unnoticed, the sacred geese at Iuno’s temple start cackling loudly. This awakens Marcus Manlius, who is able to fend off the first few attackers. Soon, his fellow soldiers come to his aid and they manage to overcome the Gallic attack.

Returning to today, your IT department probably has the same confidence as the Romans did all those centuries ago. You’ve built the modern-day equivalent of a citadel, surrounded by firewalls, the gates guarded by multi-factor authentication. If your digital citadel doesn’t scare away the attackers, it should keep out those that do try.

But like in Ancient Rome, your citadel probably has a weak spot. Perhaps an oversight, some out-dated technology, or an insider acting insecurely, such as the messenger exposing the unguarded trail. Unlike the Romans, most organisations don’t have digital geese to warn them: a recent report by Verizon Business shows that more than 50% of all data breaches are discovered only months after the fact. In a startling 92% of cases, this discovery was not even made by the company itself, but they were alerted by law enforcement (or others).

Merely discovering an attack is not enough. If still ongoing, it needs to be contained by your organization’s Marcus Manlius, and if it has ended, the damage must be repaired. Here, too, IT departments are not doing well: in more than half of the cases, it takes weeks or more before the situation is under control.

It isn’t simple to prevent your company from ending up on the wrong side of these statistics, but taking the first step is easy. Just ask these two questions:

• How many times were our systems attacked in the past year?
• How fast and effective can we respond to a security incident on our systems – for the five biggest threats?

With the right answers, you will no longer have to put your faith in divine geese.

About the author:

Jeroen Heijmans, Senior Software Analyst at SIG