If you would like to receive Perspective - our monthly newsletter – which brings you all of our latest news and views as well as interviews and opinion pieces then please follow the link below...
Cyber security challenges
This month, Ali Palmer asks Mark Kendrew about the cyber security challenges facing companies today. As an independent information security leader, strategist and change agent, Mark helps leading UK companies to achieve their business goals whilst also reducing their risks to acceptable levels.
Cyber Security seems to be a “buzz phrase” in many organisations today but what do you think a client’s understanding of it really is?
Some clients see Cyber Security as synonymous with IT Security i.e. the technical capabilities required to ensure the confidentiality, integrity and availability of data in IT systems. Others view Cyber Security as synonymous with Information Security i.e. the capability of an organisation to protect and defend its information systems and the data they contain from unauthorised: damage; exploitation; and use. This second definition expands the scope of Cyber Security to includes how people use, store and share information using physical media e.g. printed reports, drawings and voice communications.
Irrespective of which term is used, it is important is that organisations are able to realise their business objectives whilst achieving appropriate levels of security. They need to understand what information they have; how they create, store, use or share it; and the security risks associated with it being lost, stolen, corrupted or inaccessible. This knowledge can be used to define and prioritise that actions taken to mitigate the risks effectively.
As an experienced information security leader do you think that internal threats are often more successful than external threats and what threat concerns you the most?
During 2015 and 2016, 82% of all reported data breaches involved people, showing that the boundary between external and internal threats is becoming blurred.
An essential element of any external attack is being able to conduct reconnaissance on the target organisation and find a route in for deploying any malicious code. This requires help from individuals inside the organisation, some of whom may providing help unwittingly by clicking on phishing emails 1.
By contrast, insiders can also act maliciously to steal customer contact details and intellectual property, commit fraud or gain access to sensitive corporate data that might assist insider dealing. The motivation for such actors can be supported by external parties involved in crime or espionage.
Despite the Panama Papers example, many insider attacks go unreported and so public opinion is focused towards tackling external “hacking” threats. If organisations were able to increase their focus on tackling the insider threat, then they would reduce such risks. They may also be able to use the same methods to better detect breaches by external attackers.
As the threats in companies today are increasing what four pieces of advice would you give to those around the Boardroom table?
Organisations with mature and effective information security, usually have their Board fully engaged in understanding and dealing with security risks. They successfully adopt a collaborative and systematic approach to risk management and incident response that bridges the business, technology and security disciplines.
Boards and their organisation need to recognise that they will suffer data breaches and so should have breach detection and incident response capabilities in place and regularly tested. To reduce risk, they need to take a layered approach, prioritising their actions based on the sensitivity of their information and the nature of the risks. Being able to demonstrate how these actions can lead to a reduction in the level of risk carried by organisations will increase Board engagement and help support the business case for investment.
Boards should have a clear information security strategy that is driven by their information security risk priorities. This strategy should take into account that the threat landscape is always evolving – much like warfare. Developing security capabilities to address the different threats to an organisation takes time and money to complete. I have found that delivering some capability today, is often better than delivering a greater capability next month. Therefore, boards should adopt a strategy delivery plan that is capable of being flexed as the security landscape changes.
Is there a market failure for security investment?
Organisations seek to achieve their strategic business objectives within acceptable levels of risk. In my experience, organisations will invest when they recognise the significance of their Information Security risks. The future global economic uncertainty is likely to make this task harder as budgets are constrained to maintain financial performance. Those responsible for managing information security and driving IT-enabled security changes need to be able to articulate the risks in a language that the Board can understand so that investment decisions are based compelling arguments that they can support.
What are the key business issues that we will have to worry the most about from a security perspective?
Organisations are increasingly working with third parties to deliver their services. There is a clear need to ensure that information going outside the organisation’s perimeter is protected to the same degree as it was inside the organisation. This covers both the transfer of information between organisations and the protection of information by third parties. Organisations need to carry out due diligence of all third parties to ensure security risks are managed within acceptable levels.
Many organisations depend on communicating with people on the move who are accessing and working on information from mobile devices. These devices pose additional security risks that require careful mitigation, particularly where sensitive information needs to be viewed or created by senior business leaders. Organisations need to have workable policies and security controls in place to cover these operating scenarios.
Lastly, many organisations are moving the data storage onto Cloud solutions. There are clear business benefits for doing so. However, there are also significant IT and information security risks that such solutions present. Organisations need to determine what information they should store in
the Cloud based on a holistic analysis of the business, IT and security costs and risks associated with the on premise and Cloud alternative solutions.
How can we build a safer cyber world?
For me, the engagement of senior business leaders is critical for successfully tackling cyber security. There are four key areas that I help business leaders to address so that they can build a more secure business environment where cyber threats are likely to cause less harm:
- Valuing information: Business leaders need to understand what information they use and store within their organisation or share with other organisations. Knowing this, they can identify the sensitive information that they need to protect.
- Understanding the risks: Business leaders need to understand who might wish to steal, corrupt or prevent access to their sensitive information and how they might do so. Knowing this, they can quantify the level of risk and whether their organisation can tolerate this.
- Mitigating proactively: Where the risks cannot be tolerated, business leaders should ensure action is taken to reduce the risks and/or establish contingency plans for these specific scenarios so that they can accept the residual risks 2.
- Responding to breaches: Security breaches will happen, so business leaders should have established incident management procedures that are regularly tested and capable of responding in a timely and flexible way with the evolving nature of an incident.
1 Phishing emails are often sent into organisations, providing information that encourages recipients to open an attachment or link. Once opened the attachment or link runs malicious software or establishes a link to the attacker’s computer.
2 GCHQ has published “Ten Steps to Cyber Security” that describes actions that organisations can take to protect themselves against the majority of cyber threats. Some organisations may wish to go further through the Cyber Essentials scheme or achieving the international standard for information security management - ISO 27001.
Categories: Technology, Entertainment & Communications