Cyber security: People, unknown threats, and impending legislation

Physical security, cyber security, personnel security and governance must be drawn together in a sensible, concatenated fashion, says BronzeyeIBRM CEO Andrew Taylor…

Cyber: A word with no settled definition but that sends shivers down the spine of most executives at every company right now.

Information Security (InfoSec): What they usually really mean when they say cyber security.

According to Microsoft, during 2015 some 160 million customer’s data records were compromised and cyber breaches had an average duration of 229 days before detection (and a similar period for remediation). All of this helped to destroy $3 trillion of market value. A sobering thought: if each of those dollars were converted to 1 second of time, it would be equivalent to just over 95,000 years!

New ‘cyber’ laws now appear with monotonous regularity. Many have cross border implications. They increasingly contain swingeing penalties for noncompliance and negligence. The trend is toward singling out executives who are responsible for a company’s InfoSec for public sanction. It is, therefore, advisable to know which legal jurisdiction(s) you are accountable to.

Where cyber breaches are concerned, according to the head of the FBI, there are two types of companies; those that have been breached and know it, and those who have been breached and don’t know it. He should know and, given that c. 84% of large companies have experienced some level of data breach in the last year, he is almost certainly right. The average cost of a large breach is currently over $20m.

Despite all of this, it is not uncommon to hear an executive opine that his company has nothing to interest cyber criminals. They are wrong – perhaps even criminally wrong! No company is too small to be of interest and every enterprise has something worth exploiting. Hackers may be seek to steal (money, intellectual property or other people’s data) or they might just be looking for intelligence to create a fraud opportunity, unleash a ransomware attack, or even simply to cause damage. All of the above may apply.

Right here, right now, the biggest threat to all businesses, large and small, is people. Insiders are responsible for as many as 60% of all data breaches. You can be certain that people will drop you in it more frequently than your IT systems ever will. Recently, 1% of a survey group said they would sell their company’s data for as little as $10! At $1,000, almost 15% said they would be prepared to sell. Even without employees trying to sell data, there are other factors to reckon with. Pressured, late, overworked, distracted, duped, or anything else – and we have all been all of those at some stage – it is too easy to make an error.

Then we have the ‘Zero Day’ or ‘0-Day’ threat – technology flaws, unknown to security professionals, which if found (or created) by criminals allow stealthy access into systems. Because they are unknown, there is little defence. Heartbleed is the most recent notable example that allowed hackers to break through SSL security on Internet browsers for several years. As with AIDS and Ebola, which are the real world equivalent of such vulnerabilities, identifying them and then countering them in the fast moving environment of ‘Cyberworld’ can prove a Sisyphean task.

Given the scale of the problem it is hardly surprising that every government in the world has prioritised the broad improvement of InfoSec. Hackers’ interests are endless: easily tradable or exploitable data such as personal and financial information; details of processes, procedures – who, where, when and how; potential routes to juicier targets. They have time, money, skill and guile. They are coming.

A good company will have InfoSec at the heart of its operations. Physical security, cyber security, personnel security and governance must be drawn together in a sensible, concatenated fashion. Silo something, fail to include any aspect, and you will create a vulnerability. Create a virtual door and a virtual criminal will walk through it. In the face of the dual problem posed by insiders and Zero-Days, it is critical that a company’s InfoSec arrangements are best in class. Technical and physical defences must be supported by robust governance, driven by the board and ‘C-Suite’ and engaging all employees. Increasingly, authorities require companies to bring qualified expertise into the management structure.

Four out of five data breaches at large companies begin in the supply chain. Defences between suppliers and clients will have weaknesses. Criminals exploit this default weakness. Once through a perimeter, technical defences within will be weaker within. A ‘spoofed’ email from a ‘trusted’ sender is more likely to be accepted and attachments opened.

As a default setting, companies must ultimately be prepared for the worst. Being ready to respond effectively when (not if) an attack takes place is critical. It will likely make the difference between surviving or not. Trying to read the crisis management instruction manual in the middle of the storm is not an optimal strategy. Effective planning and preparation for the event means a company immediately raises the likelihood of identifying, ejecting, mitigating and weathering a cyber breach. Having no plan in place much more likely means the opposite – possibly fatal financial and reputational damage.

Bronzeye IBRM’s operatives all have many years of experience at senior levels in multiple environments, many of which required high level government clearance.

We offer two types of service:

BeCyberSure – an affordable, subscription based support service which encompasses the entirety of a client’s InfoSec needs. Working with the clients’ own personnel, the service enhances physical and digital security and governance through audits, mitigation assistance, network security monitors, compliance management tools, training, support and assistance plus cyber insurance and legal specialists.

IBRM (Integrated Business Risk Management) – a project or ‘spot’ consultancy to advise, validate, test and audit all levels of a client’s information security needs or to create bespoke solutions.