A recent independent report entitled the 2014 Information security Breaches Survey* finds that 60% of SMEs and 81% of those larger organisations surveyed have failed to secure their key-critical information and subsequently suffered the fall-out from a security breach. Paul Heffernan examines how best they might defend themselves in cyber space.
For many organisations, data has become their business. Gathering, processing and storing vast amounts of information between multiple countries, devices and employees is the latest tightrope act for management to walk.
I’m certain that lots of these breaches stem from the fact that many SMEs and larger organisations don’t have the resources or will to operate an effective information security management system. Clearly, though, this isn’t the only reason.
Global volumes of cyber attacks have actually decreased, but more organisations have been breached. This is because cyber criminals have stopped using noisy ‘pray and spray’ mass attacks in favour of stealthier, quieter and more subtle techniques which are paying dividends for them.
Straightforward cyber criminals aren’t the only concern, either. Organisations also need to defend themselves against hacktivists and disgruntled employees as well as corporate and state-sponsored espionage.
Furthermore, disruptive technologies such as movement to the cloud and the trend towards Bring Your Own Device (BYOD) have further complicated the strategy and execution of effective cyber security regimes.
As we’ve all witnessed, even when an organisation thinks it’s in a mature cyber security position, attackers leverage unknown or neglected vulnerabilities. Just look at the social engineering attacks used in the Target and Home Depot breaches which netted the attackers a total of 96 million US credit card records.
As an information security professional, it often seems to me that the odds are stacked in the attackers’ favour and that we’re just playing catch-up.
Path of least resistance
What, then, can be done about today’s burgeoning and ever-evolving cyber threat?
Thankfully, most attackers still take the path of least resistance and those harder targets will only be pursued if the pay-off is really worth it. This means organisations need to evaluate their information security management system across both the physical and cyber domains and take into account the holistic measures that may need to be implemented as a result.
There’s no single technological, process or people-based ‘magic bullet’ out there to protect sensitive data. Rather, the process requires an effective management system governing these factors in both the physical and cyber spaces.
I believe that this is achievable and suitable for organisations of any size, but does require them to think about four main themes in the context of the ‘Plan-Do-Check-Act’ cycle.
Gain Management Sponsorship
The key starting point is to establish authentic senior management sponsorship. Like any project, things can quickly grind to a halt if financiers will not approve spending on resources required to improve gaps.
However, sponsorship is more than just someone signing a cheque. Leadership and the management of change are key to inspiring an information security management system which is sustainable and effective throughout the entire organisation.
Start by creating the need. Perhaps a cyber security accreditation will build trust with stakeholders and unlock more business. Then encourage leadership by example. There’s nothing worse than being told to lock your workstation when your CEO doesn’t do so.
Classify Data, Assets and Risk
With the backing of senior influencers, the next key task is ensuring that you have in place an accurate asset register which includes digital assets and data. This should be more than just a list of things and names.
By including risk metrics, affected stakeholders and criticality to the business, you’ve also kick-started the basics of risk management. That will pay off when trying to identify effective controls and the priority for applying them.
Often, I’ll see organisations that classify physical assets in isolation to data, but in truth only by merging the two will interesting interactions be discovered.
Identify and Implement Controls
Only with the preceding stages complete can you implement something. All-too-often, I’ll hear advice from information security professionals telling organisations to implement data encryption, push all of their staff through mandatory training or jump straight to some other form of ‘control’. Without knowing the diamonds from the paper clips, you may risk trying to boil the ocean or miss the real dent in the armour.
Where possible, I start by comparing the status quo to a well-established standard such as Cyber Essentials, ISO 27001 or PCI-DSS. That chosen will depend on the needs of the business. Then, based on the asset register, those controls which will give the biggest bang for the buck can be the first ones implemented.
Cyber threats are constantly evolving. So, too, is the risk posed to your data. On that basis, your information security management system must also evolve in parallel.
You have to know when things are working, but also when they need to change. Quality metrics are key to this decision-making. I think a Balanced Scorecard approach provides a good foundation. For example, consider potential financial measures. What’s the value of the assets protected?
Then consider potential learning and growth measures. Do your members of staff have the skills to spot and report phishing attacks, for instance?
With these and other lead and lag indicators to hand you should be in a good position to steer away from potential danger and show senior management that you’re following the right path to protect the business.
With considered thought in these four areas and a belief in continuous improvement, any organisation can radically change the odds and move one step ahead of the attackers before it’s too late.
Paul Heffernan is Principal Consultant (Cyber) at Unipart Security Solutions
*The 2014 Information Security Breaches Survey was commissioned by the Department for Business, Innovation and Skills (BIS) and undertaken by PwC
**If you’d like to learn more about how Unipart Security Solutions can help you in securing your organisation’s sensitive information visit: http://www.unipartsecurity.co.uk/services/cyber-assurance/