Working in cyber security for the last 19-years has been an amazing experience. Watching the sophistication of cyber attacks, and the frequency of breaches increase, has not.
I was discussing this with a few senior cyber security leaders the other day. As we talked, we each reeled off a load of statistics, like how Lloyds of London has estimated that cyber attacks cost businesses as much as $400 billion a year, how Juniper research has predicted that the cost of data breaches will increase to $2.1 trillion by 2019, and how the World Economic Forum says the true cost is actually unknown, as industrial espionage grows, and access to confidential data goes undetected.
We also discussed how cyber criminals follow the money trail, and how SMEs make for rich pickings, as they’re typically less secure and under resourced than large organisations. According to Symantec’s 2016 Internet Security Threat Report about 1 in 40 small businesses are at risk of being the victim of a cybercrime, and attacks are intensifying.
And, then I said, “Of course it’s only when a C-level gets fired, or scrutinised in the media that everyone takes notice.” Suddenly, one of them thumped the table, and said; “You’re right. This may not be a stat, but it’s relatable!”
Although not an everyday occurrence, things like this happen. Few in the UK could forget the barrage of criticism Dido Harding, the CEO of TalkTalk Group received in 2015 when she handled a data breach, which affected about 4 million customers, who’d had their personal details stolen. But, what about the CEO and CFO of FACC, the Austrian aerospace parts manufacturer who was fired in May 2016 after a cyber fraud incident resulted in a €40.9m loss? Then, there were the CEOs from Sony and Target who were fired after hacks in 2014, and I can still remember how tongues wagged in 2011 when Betfair’s Security Director left just days after an 18-month old data breach was announced in the press.
We all agreed, but the question many of us pondered was whether this was going to worsen, especially considering new legislation, such as GDPR. Furthermore, what could be done to mitigate risks, and ensure more resilience, as cyber security isn’t about “if,” rather it’s about “when,” and whether “it’s already happening but we just don’t know about it.”
With these thoughts in mind, here are my top 5 high-level recommendations.
Tip 1: Know who your attackers are, and their motives.
Often when I’m presenting at conferences or webinars on cyber security, I’ll ask my audience to think about who might want to attack them and why. I get them to step into the shoes of an attacker and take on their persona. This makes it more real, and memorable. I’ll talk about cyber criminals who follow the money trail; hackers (usually teenage boys) who are intent on circumventing a system, network, or application for the sheer challenge or kudos; industrial competitors and foreign intelligence services who are after disruption or a competitive advantage; hacktivists, like Anonymous, who do it for a cause, and employees, who many deem to be the greatest threat.
With employees, I then drill down further and put them into six categories, giving them a name, objective, and brief profile, for example:
- The activist, who leaks data. They’ve become disillusioned and have sold a story to the press.
- The disgruntled employee who’s out for sabotage. They’ve left the organisation on bad terms, and as they're out for revenge have released a time bomb, which corrupts systems. Alternatively, they’ve falsified or manipulated data.
- The entitled employee, who’s stealing IP. They’ve been recruited to steal customer data, or IP etc.
- The blackmailed employee, who’s vulnerable and has been deliberately targeted. They feel like they’ve got no choice, have to comply with their blackmailer, and are now committing fraud.
- The careless employee, who’s negligent. They’re breaking security policies, and emailing themselves passwords or sensitive data, because they want to work from home. Or, perhaps they’re storing unencrypted data on their laptop.
- The unknowing employee, who’s accidentally downloaded malware from a spreadsheet that’s been emailed to them.
Tip 2: Establish your assets and understand the consequences of a breach.
As the main repercussions of a breach are going to fall into 3 groups – brand or reputational damage, loss (e.g. customers, revenue, service), and fines (e.g. regulatory, legislative) you’re going to need to establish what the business’ assets are, and what the business really values. Although sounding straightforward, this is often challenging, as the perimeter of the enterprise can be broad, and data dispersed.
Tip 3: Accept your job is to mitigate risk not eliminate it.
Total security is a unicorn. It doesn’t exist; and reputable suppliers will articulate exactly what they offer, along with their benefits, so expectations can be met, or better still surpassed. Some may also help you quantify your risk, and be able to put a monetary value on this, which helps when communicating value to the Board, or asking for more budget.
Tip 4: Recognise your job is to ensure resilience.
It’s imperative this is understood within your organisation, and that a security culture is built. Those who do this successfully create security cultures that are based on trust rather than surveillance, and ensure they extend beyond the organisation. The awareness programmes they implement help their employees to understand the advantages of good security practices within their organisations as well as their homes, and as a result their employees buy-in more readily, and become stronger defence shields. They also ensure they’re fully prepared for when an incident happens. Their incident response plan is meticulously crafted, and regularly rehearsed. The team knows what to do, when to do it, and who’s responsible for doing what.
Tip 5: Remember the golden triangle – people, process and technology.
Although Bruce Schneier popularised this approach back in the late 1990s, it’s still just as relevant today. Operational efficiency requires a symbiotic relationship between all three areas. If you concentrate on one or two you’ll create an imbalance and risk will invariably increase.
Now I want to hear from you.
- Tell me what resonated, what you’re going to do differently, and if you’re using a breach prevention tip that I’ve not mentioned and you’d like to share it, please do.
To find out more.
Please watch Microsoft Office’s Modern Workplace Episode 306, Cyber Intelligence: Help prevent a breach, and hear from Mike Convertino, the CISO and VP of Information Security at F5 Networks, and Vanessa Pegueros, the VP and CISO at DocuSign.
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and this is one of them.