Perspective Newsletter


If you would like to receive Perspective - our monthly newsletter – which brings you all of our latest news and views as well as interviews and opinion pieces then please follow the link below...

Read more

Cyber security challenges

25 July 2016

This month, Ali Palmer asks Mark Kendrew about the cyber security challenges facing companies today. As an independent information security leader, strategist and change agent, Mark helps leading UK companies to achieve their business goals whilst also reducing their risks to acceptable levels.

Cyber Security seems to be a “buzz phrase” in many organisations today but what do you think a client’s understanding of it really is?

Some clients see Cyber Security as synonymous with IT Security i.e. the technical capabilities required to ensure the confidentiality, integrity and availability of data in IT systems. Others view Cyber Security as synonymous with Information Security i.e. the capability of an organisation to protect and defend its information systems and the data they contain from unauthorised: damage; exploitation; and use. This second definition expands the scope of Cyber Security to includes how people use, store and share information using physical media e.g. printed reports, drawings and voice communications.

Irrespective of which term is used, it is important is that organisations are able to realise their business objectives whilst achieving appropriate levels of security. They need to understand what information they have; how they create, store, use or share it; and the security risks associated with it being lost, stolen, corrupted or inaccessible. This knowledge can be used to define and prioritise that actions taken to mitigate the risks effectively.

As an experienced information security leader do you think that internal threats are often more successful than external threats and what threat concerns you the most?

During 2015 and 2016, 82% of all reported data breaches involved people, showing that the boundary between external and internal threats is becoming blurred.

An essential element of any external attack is being able to conduct reconnaissance on the target organisation and find a route in for deploying any malicious code. This requires help from individuals inside the organisation, some of whom may providing help unwittingly by clicking on phishing emails 1.

By contrast, insiders can also act maliciously to steal customer contact details and intellectual property, commit fraud or gain access to sensitive corporate data that might assist insider dealing. The motivation for such actors can be supported by external parties involved in crime or espionage.

Despite the Panama Papers example, many insider attacks go unreported and so public opinion is focused towards tackling external “hacking” threats. If organisations were able to increase their focus on tackling the insider threat, then they would reduce such risks. They may also be able to use the same methods to better detect breaches by external attackers.

As the threats in companies today are increasing what four pieces of advice would you give to those around the Boardroom table?

Organisations with mature and effective information security, usually have their Board fully engaged in understanding and dealing with security risks. They successfully adopt a collaborative and systematic approach to risk management and incident response that bridges the business, technology and security disciplines.

Boards and their organisation need to recognise that they will suffer data breaches and so should have breach detection and incident response capabilities in place and regularly tested. To reduce risk, they need to take a layered approach, prioritising their actions based on the sensitivity of their information and the nature of the risks. Being able to demonstrate how these actions can lead to a reduction in the level of risk carried by organisations will increase Board engagement and help support the business case for investment.

Boards should have a clear information security strategy that is driven by their information security risk priorities. This strategy should take into account that the threat landscape is always evolving – much like warfare. Developing security capabilities to address the different threats to an organisation takes time and money to complete. I have found that delivering some capability today, is often better than delivering a greater capability next month. Therefore, boards should adopt a strategy delivery plan that is capable of being flexed as the security landscape changes.

Is there a market failure for security investment?

Organisations seek to achieve their strategic business objectives within acceptable levels of risk. In my experience, organisations will invest when they recognise the significance of their Information Security risks. The future global economic uncertainty is likely to make this task harder as budgets are constrained to maintain financial performance. Those responsible for managing information security and driving IT-enabled security changes need to be able to articulate the risks in a language that the Board can understand so that investment decisions are based compelling arguments that they can support.

What are the key business issues that we will have to worry the most about from a security perspective?

Organisations are increasingly working with third parties to deliver their services. There is a clear need to ensure that information going outside the organisation’s perimeter is protected to the same degree as it was inside the organisation. This covers both the transfer of information between organisations and the protection of information by third parties. Organisations need to carry out due diligence of all third parties to ensure security risks are managed within acceptable levels.

Many organisations depend on communicating with people on the move who are accessing and working on information from mobile devices. These devices pose additional security risks that require careful mitigation, particularly where sensitive information needs to be viewed or created by senior business leaders. Organisations need to have workable policies and security controls in place to cover these operating scenarios.

Lastly, many organisations are moving the data storage onto Cloud solutions. There are clear business benefits for doing so. However, there are also significant IT and information security risks that such solutions present. Organisations need to determine what information they should store in

the Cloud based on a holistic analysis of the business, IT and security costs and risks associated with the on premise and Cloud alternative solutions.

How can we build a safer cyber world?

For me, the engagement of senior business leaders is critical for successfully tackling cyber security. There are four key areas that I help business leaders to address so that they can build a more secure business environment where cyber threats are likely to cause less harm:

  • Valuing information: Business leaders need to understand what information they use and store within their organisation or share with other organisations. Knowing this, they can identify the sensitive information that they need to protect.
  • Understanding the risks: Business leaders need to understand who might wish to steal, corrupt or prevent access to their sensitive information and how they might do so. Knowing this, they can quantify the level of risk and whether their organisation can tolerate this.
  • Mitigating proactively: Where the risks cannot be tolerated, business leaders should ensure action is taken to reduce the risks and/or establish contingency plans for these specific scenarios so that they can accept the residual risks 2.
  • Responding to breaches: Security breaches will happen, so business leaders should have established incident management procedures that are regularly tested and capable of responding in a timely and flexible way with the evolving nature of an incident.

Ali Palmer is a Consultant within the Technology practice of Odgers Interim

Phishing emails are often sent into organisations, providing information that encourages recipients to open an attachment or link. Once opened the attachment or link runs malicious software or establishes a link to the attacker’s computer.

2 GCHQ has published “Ten Steps to Cyber Security” that describes actions that organisations can take to protect themselves against the majority of cyber threats. Some organisations may wish to go further through the Cyber Essentials scheme or achieving the international standard for information security management - ISO 27001.  

Categories: Technology, Entertainment & Communications


Steve Scholes at 04/08/2016 23:52 said:

It's good to see in the footnotes reference to 10 Steps which really is the minimum standard that is recommended to be implemented.

I have in the past created business cases for achieving the capabilities outlined in PAS 555.

PAS 555 supplies a holistic framework for effective cyber security which not only considers the technical aspects, but also the related physical, cultural and behavioural aspects of an organisation’s approach to addressing cyber threats, including effective leadership and governance.

Through this approach, PAS 555 enables organisations to:

focus investment in the most appropriate way, minimising potential losses and improving operational effectiveness and efficiency;
develop organisational resilience by improving loss prevention and incident management;
identify and mitigate cyber security risk throughout the organisation.
PAS 555 applies to the whole organisation and its supply chain, avoiding the dangers that can arise when the security measures fail to cover the whole of the business. It is an adaptable approach which can apply to any organisation, whatever its size or type, whether commercial, not-for-profit or public sector.

PAS 555’s flexibility allows an organisation to utilise its own defined processes or the adoption of other standards and management systems to achieve its intended cyber security ends. PAS 555 can be used alone, but is also compatible with many major security standards, such as ISO20000-1, ISO27001, ISO22301 and ISO31000.

Obviously the above is for the larger organisation however there is always a case to be made for reading such reference material and wherever possible looking to strengthen your own organisations cyber security. The cost may even be very small or just a behavioural change.

What is certain is that both Cyber Security and IT Security in general will continue to be improved and become evermore sophisticated as both internal and external risk increase, modify and attacks even come to life (from being planted and asleep in systems).

It's still however very surprising how poor personal computer security is, and how open people are to attack.

Ali Palmer at 29/07/2016 14:05 said:

Many thanks for your response Harry. It is becoming a hot topic for many organisations and something that people are going to have to tackle head on. I shall certainly look up the resources you suggest.

Harry Cruickshank at 29/07/2016 12:43 said:

Thanks for this article Ali - the more the subject is highlighted the better. There are many aspects to managing cyber security, some more obvious than others. In large corporates, it is to be hoped that IT security staff are on the ball and actively working to safeguard business data and assets, as well as educating employees as to the various dangers they face and how to best protect themselves. For SMEs the problem is somewhat greater, as they often lack the resources and sophisticated tools employed by global enterprises. However, there are practical steps they can take to mitigate their exposure.

Much of the inherent risk can be avoided simply be deploying common sense measures and by having employees think a little more carefully. Some examples:

1. When using public Wi-Fi networks, everyone should be using a VPN to secure their connection and avoid 'eavesdropping'.
2. The advent of bring-your-own-device (BYOD) exposed companies to the danger of external connections from unsecured laptops, mobile devices and USB drives. Educating employees on how to secure this hardware is essential.

Companies are also liable to miss obvious potential breaches, a favourite being employee network/application access and how employees who leave do not have all access instantly revoked. In my own experience, I left a blue-chip brand and was able to access confidential data for almost 3 weeks after my departure.

For some time, companies have been able to engage ethical 'white hat' hackers (such as Jennifer Arcuri's excellent 'Hacker House') to test their corporate defences. This not only flags up security gaps to be addressed, but also provides in-depth consulting on potential risk areas and how to mitigate exposure. Some companies seem to regard this as a dangerous activity, whilst forgetting that unethical hackers are already focused on breaking their defences to access, ransom or sell of their core data.

As an interim I still comes across companies whose network and application management leaves much to be desired, even to the extent that simple version control and automatic updates to critical operating systems and applications are not in place. many hackers exploit known weaknesses in operating systems, Java, Flash and other widely-used programmes. Addressing these areas of weakness seems like 'security 101' to me.

Another growth area which has exposed weaknesses in corporate business processes is the use of 'phishing' tactics, where senior executives identities are 'acquired' or where they are simply impersonated and clever behavioural psychology tactics used to force staff into transferring funds. SMEs are especially at risk and being targeted by high efficient and sophisticated criminal gangs.

There are good resources on hand to offer help. You mentioned the GCHQ guide. The London Digital Security Centre is another. You might also want to read Edward Lucas's excellent book called "Cyberphobia", which is a lucid account of the risks to companies and individuals and offers some salient advice.