Home News BCI urges realistic approach to cyber crime

BCI urges realistic approach to cyber crime

by Brian Sims

In the lastest issue of Risk UK, Lyndon Bird of the BCI (Business Continuity Institute) urges a realistic approach to cyber crime for UK buinesses. ‘One of the constant challenges to security, risk and business continuity professionals is to ensure their traditional skill-sets and experience remains relevant in a world that is increasingly exposed to cyber threats. ‘Since the launch of the original information security standard over two decades ago, information security has been built on three pillars” confidentiality, integrity and availability. In many ways security has to be a compromise between these three elements. The need to protect against unauthorised access (confidentiality) has to be balanced against the access needs of authorised users (availability). Locking down a system to give almost total security will, therefore, make it unusable in any practical sense. However, once the system is open for use, it is potentially open for corruption and abuse. Once this has happened the integrity of the system and the data is compromised and (unlike a physical disaster like a fire) it might not be clear when or where the corruption was introduced. This makes conventional disaster recovery back to a guaranteed safe point almost impossible. ‘It is easy to assume that the more valuable the data, the more of interest it will be to those wishing to illegally access it. Although this is true, the ‘value’ to the perpetrator might not be the conventional financial value. For example, in physical cases of theft, the purpose would usually be to quickly gain as much as possible whilst minimising the probability of being caught. However, there are a much wider range of motivations with cyber-crime than with their physical equivalents. Firstly, if you are looking at overall maximisation of returns, keeping individual ‘takes’ small enough might never be detected, and this gives a good opportunity to repeat the same trick over and again. You can effectively automate your crime. Secondly, the aim might be to just copy data which can be used to blackmail a company or sell on to its competitors, even before anyone knows it has been taken” a situation unlikely in a physical robbery. ‘Thirdly, politically motivated crime (such as cyber-terrorism) might simply want to maximise damage without the negative visual horrors of physical attacks. If hackers can corrupt systems or stop computers functioning (creating non-availability), they can achieve many objectives including chaos and civil unrest. This tactic is believed by some governments as legitimate action against what they see as enemy states or extreme political fractions. At this level, a government sponsored cyber-terror attack presents enormous problems of formulating a deterrent or a response strategy. ‘Business continuity argues that the only effective approach to dealing with threats is to identify the most important resources that need to be protected, rather than look at all the threats that might exist. Once you have categorised what is really important in terms of both data protection and data usage, you can then look in a more focused way at the threats faced. Records management and business continuity should work together with risk and security professionals on this analysis. ‘Investments in information security are only justified by the value of what might be lost” there is no point spending

You may also like