Cyber security investment continues to spiral, with Gartner predicting that global security spend will reach £71.72 billion by the end of the year as a direct result of regulatory change, mindset and a growing awareness of threats, writes Alan Calder. With over 40% of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, and having to deal with the attendant cost and reputational damage, it’s easy to see how information security teams can make the case for requiring ever-higher budgets.
That said, is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hacks were not achieved through bypassing top of the line security technology, but rather by identifying weaknesses within processes and staff.
While technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring that an organisation is protected. From management commitment to strategic risk assessment through to process change and employee awareness, organisations need to reconsider security and determine to rapidly on-board the skills required to achieve this three-fold approach towards mitigating cyber risk.
No organisation is immune to the threat of a cyber attack, especially so as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breaches, from regulatory fines to lost customers and compromised supplier relationships, this subject is clearly on Board agendas. Unfortunately, most Boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, for them to be involved.
According to ISO 27001, Board-level commitment is an essential requirement, yet this is a message that the CIO or CISO is finding hard to put across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any Board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal. It’s not all about incredibly complex and sophisticated threats. Rather, attackers will aim at the weakest link in an organisation’s security posture – its people.
People are a risk because they will forget passwords, make errors, click on phishing e-mails or access websites loaded with malware. It’s not malicious in the main, but it is a huge problem. The fact is that the majority of breaches are linked to human error and, more often than not, the cause is ill-considered processes and education, not inadequate security solutions.
Proving the point
The massive data breach at Sony came about as a result of hackers gaining access to a list of passwords written in plain text, which is essentially an open door to an extraordinary raft of sensitive information. At Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers to data sharing websites. With Morrison’s having spent more than £2 million tackling the breach, the High Court ruled that the supermarket giant was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.
A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes. In this case, failing to update software, and in turn creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment (although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses).
While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.
Information security culture
User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing e-mail or spot a rogue Wi-Fi hotspot at the café, station or conference centre can radically reduce incidents. This is just the start, however. User awareness and training must be part of a complete resilience process.
Continually testing staff awareness – by sending phishing e-mails and following up with additional training to those who mistakenly click on such e-mails – is essential, but staff also need to know what to do if they do click on a phishing e-mail by mistake. That means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team through to locking down the device and removing it from the network and, critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.
In addition to improving awareness and understanding, it’s also important to make life easy for the user. While IT has become obsessed with the concept of complex passwords changed every 60 to 90 days, for the user the only option is to write these down or continually waste time calling the Help Desk for a reset.
How much more effective to opt for single sign-in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the Help Desk call volumes plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings.
This ‘People and Process’ model is at the heart of the global ISO 27001 security standard – a standard which in this post-General Data Protection Regulation era is prompting increasing interest as a way of demonstrating that security provision in place should a breach occur.
Circling back to where we came in, this is where the Board needs to become involved. ISO 27001 states that management must be engaged in the information security management process. They must lead by example and provide clear guidance to the organisation on issues such as risk management. That means security isn’t just a line on the budget and a chance to pass the buck to the information security management team. The Board must actively discuss and consider security policy if certification is to be achieved.
To be frank, the Board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach, but also to ensure systems can be back up-and-running as quickly as possible in order to minimise business disruption. That operational framework is ultimately defined and directed by a corporate understanding of risk.
Simply accepting an ever-increasing security cost isn’t enough. It’s not until the Board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security. That means investing in the right skills to define and implement new processes and heightened levels of staff awareness.
Alan Calder is Founder and Executive Chairman of IT Governance