In order to save market reputation, avoid expensive damages and protect the valuable data your business holds, it’s now time to take a considered view of cyber risk. Throw away the ‘tick-box’ sheet and manage the cyber risk that’s appropriate to the organisation. By doing so, you’ll provide a better end user experience, while also improving security and remaining up-to-date with evolving threats. Richard Morris discusses the detail.
Today’s enterprise-level networks are exposed to an increasing variety of cyber threats caused by a combination of improved ability among cyber criminals and the increasing connectivity of organisations. According to the UK Government, in 2015 no less than 74% of small businesses and 90% of larger firms suffered from a security breach.
We’re now seeing a sophisticated approach to malware, code injection, advanced persistent threats and other forms of menace easily crafted by a hacker’s arsenal of cyber tooling. Social engineering is also emerging as a common attack vector for the cyber criminals.
The aim of such attacks can vary, although a common outcome is to disable or otherwise disrupt an organisation, whether through attacking IT infrastructures or by exfiltrating information for later nefarious use, financial gain or to release it into the public domain.
These attacks can be from state and non-state sponsored groups. All are extremely competent, organised and well-funded, adding further weight to the threats posed.
Yet organisations don’t seem to be keeping up with this evolution. They’ve moved beyond the use of firewalls to sophisticated intrusion detection systems, but often on the premise that a ‘silver bullet’ is a more attractive proposition to present to the Board of Directors when the time comes for funding requests.
There’s a huge degree of risk associated with this naivety. For the unprepared, the impact of an attack will be significant. The combined loss of reputation – along with punitive legislative damages – is relentless. The Financial Times recently reported that the high-profile cyber attack which TalkTalk suffered in October last year wiped £15 million off trading revenue, racked up costs of £40 million-£45 million and lost the business over 100,000 customers.
What, then, is stopping organisations from embracing higher levels of cyber security? For our clients, the biggest factors often seem to be budget and security becoming an alleged ‘blocker’ for day-to-day business.
Locking down systems
Commonly, we see the threat of cyber attacks leading organisations to lock down their systems in an attempt to achieve adequate protection, but this course of action ultimately impacts the efficiency of the business and also a given individual’s ability to perform their designated role.
By definition, the computer is supposed to act as the tool for more efficient business, yet when the security mechanisms put in place to protect data begin to slow end users down, the reverse is true.
Luckily, this doesn’t have to be the case. In fact, through our own partnership with CESG we’re not only exploring more user-friendly cyber security solutions, but also aiming to help industry take advantage of the technology and understanding present at its fingertips.
Just last month, for instance, Apple stood against the ‘back door’ option for Government agencies. With highly specialised agencies needing to ask for access, the effectiveness of security built into the modern smart phone becomes more apparent. Bear in mind this isn’t the only platform where technology offers quick and simple mitigations for the cyber threat.
Enterprises – both Government and commercial in nature – must make use of this functionality to grasp the benefits that technology delivers. Likewise, new security choices must consider usability as a top priority, delivering productivity gains to the organisation without compromising security.
How, though, can this balance be achieved?
The promise of new technology is often stymied by the retrospective application of security. It’s absolutely crucial that security requirements are considered at the outset and included within the initial designs for new technology.
Historically, staff become frustrated by not being able to do what they want, when they want and where they want, whether this is working with multiple and complex passwords, forgetting to bring the additional token that’s needed to grant system access or not being able to work on a remote basis.
Consequently, employees often find ‘a way around’, resulting in unintentional security breaches. This opens up the organisation to cyber attack and information leakage – the very thing the introduction of draconian security requirements hoped to avoid. However, the risk of such security breaches may be minimised by putting usability first, then leveraging available security to support business needs. The result is user-friendly IT systems which have the appropriate security in place to provide a cost-effective solution for the organisation.
For risk owners, it’s time to endorse this alternative approach to meet the needs of end users, removing the temptation of unauthorised workarounds and the risk of business disruption. How does this work in practice, though? Let’s look at remote working, which is a prime example of where such an approach can realise significant benefits.
Removing the fear
Remote working can strike fear into the hearts of IT Departments and the Chief Information Security Officer (CISO) simply because of the potential security threats it encourages.
However, with evidence of increased productivity, improved employee retention and higher levels of customer satisfaction, as well as reducing the demand on the fixed infrastructure, it’s a key part of how we now do business in the 21st Century.
Traditionally, the approach towards keeping remote working ‘safe’ has been to instigate a system of complex passwords and bespoke tokens, and also to lock down functionality on trusted machines. Not only does this mean increased IT costs in managing these procedures, but the potential for end user opposition and unauthorised workarounds then become pretty significant factors.
An alternative and smarter approach would be to exploit today’s commodity security features. This could be as easy as selecting the options to use the security hardware that’s already built into a laptop or tablet, or otherwise employing the user’s smart phone as a two-factor authentication token.
Typically, employees have been forced to go to a building or terminal that has the necessary technology, or wait for a paper copy to be sent and stored appropriately.
With such inflexibility, many end users have found ways around security measures by sending a copy to their personal mailbox, or by transporting a copy on a USB stick.
However, improved security architecture is now readily available on modern smart phones. This would allow end users to open and view documents quickly via encrypted e-mail within a safe enclave on their personal smart phone. By making the process rapid and easy for the end user to enact on a secure basis, it’s possible to protect our organisations from cyber threats in a much more efficient fashion.
How do you decide in which technology to invest? The answer to this question ultimately rests within the prioritised management of overall cyber risk.
To be frank, a ‘tick-box’ approach towards managing cyber risk should now be a thing of the past. With each organisation facing multiple risks based on their differing operational models, it’s time to take an individual approach towards protecting against them.
This requires insight. You need to know what those risks are and the level of threat they pose to your organisation. By using a business-led, threat-driven approach which defines appropriate cyber risk mitigations, the result is a robust security architecture with great usability that mitigates the risk of an attack.
Such an approach consists of these stages:
*User needs: Understand how the organisation needs to be able to operate to be efficient and deliver a great service to its customers
*Asset identification: Understand what data the business needs to protect (and why)
*Threat identification: This requires a sharp understanding of what cyber attacks are possible. Once the potential and emerging threats have been identified, characterise them to help establish the best method of protection
*Vulnerabilities: This is an in-depth review of where data is vulnerable and what the consequences of an attack would be
*Risk: Quantify the risks faced by the organisation in business terms such that the appropriate risk judgements can be made
*Risk control: Develop ways in which to control these risks using a combination of technology and process appropriate to the organisation
*Risk management: Develop internal processes to manage what’s now a fluid state of affairs
Richard Morris is Cyber Protection Lead at Roke Manor Research