In the lastest issue of Risk UK, Lyndon Bird of the BCI (Business Continuity Institute) urges a realistic approach to cyber crime for UK buinesses. ‘One of the constant challenges to security, risk and business continuity professionals is to ensure their traditional skill-sets and experience remains relevant in a world that is increasingly exposed to cyber threats. ‘Since the launch of the original information security standard over two decades ago, information security has been built on three pillars” confidentiality, integrity and availability. In many ways security has to be a compromise between these three elements. The need to protect against unauthorised access (confidentiality) has to be balanced against the access needs of authorised users (availability). Locking down a system to give almost total security will, therefore, make it unusable in any practical sense. However, once the system is open for use, it is potentially open for corruption and abuse. Once this has happened the integrity of the system and the data is compromised and (unlike a physical disaster like a fire) it might not be clear when or where the corruption was introduced. This makes conventional disaster recovery back to a guaranteed safe point almost impossible. ‘It is easy to assume that the more valuable the data, the more of interest it will be to those wishing to illegally access it. Although this is true, the ‘value’ to the perpetrator might not be the conventional financial value. For example, in physical cases of theft, the purpose would usually be to quickly gain as much as possible whilst minimising the probability of being caught. However, there are a much wider range of motivations with cyber-crime than with their physical equivalents. Firstly, if you are looking at overall maximisation of returns, keeping individual ‘takes’ small enough might never be detected, and this gives a good opportunity to repeat the same trick over and again. You can effectively automate your crime. Secondly, the aim might be to just copy data which can be used to blackmail a company or sell on to its competitors, even before anyone knows it has been taken” a situation unlikely in a physical robbery. ‘Thirdly, politically motivated crime (such as cyber-terrorism) might simply want to maximise damage without the negative visual horrors of physical attacks. If hackers can corrupt systems or stop computers functioning (creating non-availability), they can achieve many objectives including chaos and civil unrest. This tactic is believed by some governments as legitimate action against what they see as enemy states or extreme political fractions. At this level, a government sponsored cyber-terror attack presents enormous problems of formulating a deterrent or a response strategy. ‘Business continuity argues that the only effective approach to dealing with threats is to identify the most important resources that need to be protected, rather than look at all the threats that might exist. Once you have categorised what is really important in terms of both data protection and data usage, you can then look in a more focused way at the threats faced. Records management and business continuity should work together with risk and security professionals on this analysis. ‘Investments in information security are only justified by the value of what might be lost” there is no point spending
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.