CYBER SECURITY: PEOPLE, UNKNOWN THREATS, IMPENDING LEGISLATION AND HOW THEY ALL CONSPIRE TO MAKE YOUR LIFE MORE DIFFICULT

 

Cyber: A word with no settled definition but with the power to send shivers down the spine of most executives at every company right now.

Information Security (InfoSec): What they usually really mean when they say Cyber-Security.

According to Microsoft, during 2015 some 160 million customer’s data records were compromised, cyber breaches had an average duration of 229 days before detection (and a similar period of remediation to remove). All of this helped to destroy $3 trillion of market value in the process. A sobering thought, perhaps: if each of those dollars were converted to 1 second of time, it would be equivalent to just over 95,000 years. That’s quite a long time!

New ‘cyber’ laws are now appearing with monotonous regularity. Many have cross-border implications. They increasingly contain swingeing penalties for non-compliance and negligence. The trend is toward singling out executives who are responsible for a company’s InfoSec for public sanction, when things go wrong. It is, therefore, advisable to know which legal jurisdiction(s) you are accountable to.

Where cyber breaches are concerned, according to the head of the FBI, there are two types of companies; those that have been breached and know it, and those who have been breached and don’t know it. He should know and, given that c.84% of large companies have experienced some level of data breach in the last year, he is almost certainly right. The average cost of a large breach is currently over $20m,

Despite all of this, it is not uncommon to hear an executive opine that his company has nothing which would interest cyber criminals. Hmmmm. Wrong – perhaps criminally wrong! NO company is too small to be of interest and EVERY enterprise has something worth exploiting. Hackers may seek to steal (money, intellectual property or other people’s data) or they might just be looking for intelligence to create a fraud opportunity, a ransomware attack or even just to cause damage – or, even, all of the above.

Right here, right now, the biggest threat to all businesses, large and small, is people. Insiders are responsible for as many as 60% of ALL data breaches courtesy of either good old human error or deliberate action. You can be certain that people will drop you in it more frequently than your IT systems ever will. Recently, 1% of a survey group said they would sell their company’s data for as little as $10! At $1,000, almost 15% said they would be prepared to sell. Even without employees trying to sell data, other stuff happens. Pressured, late, overworked, distracted, duped, or anything else – and we have all been all of those at some stage – it is too easy to make an error.

Then we have the ‘Zero Day’ or ‘0-Day’ threat – technology flaws, unknown to security professionals and if found or created by criminals allows stealthy access into systems. Because they are unknown, there is little defence. Heartbleed is the most recent notable example that allowed hackers to break through SSL security on Internet browsers for several years. As with AIDS and Ebola, which are the real world equivalent of such vulnerabilities, identifying them and then countering them in the fast moving environment of ‘Cyberworld’ can prove a Sisyphean task. Given the scale of the problem it is hardly surprising that every government in the world has prioritised the broad improvement of InfoSec.

Hackers’ interests are endless: easily tradable or exploitable data such as personal and financial information, details of processes, procedures; who, where, when and how, potential routes to juicier targets. They have time, money, skill and guile. They are coming.

A good company will have InfoSec at the heart of its operations. Physical security, cyber security, personnel security and governance must be drawn together in a sensible, concatenated fashion. Silo something, fail to include any aspect, and you will create a vulnerability. Create a virtual door and a virtual criminal will walk through it. In the face of the dual problem posed by insiders and Zero-Days, it is critical that a company’s InfoSec arrangements are best in class. Technical and physical defences must be supported by robust governance, driven by the board/‘C-Suite’ and engaging all employees. Increasingly, authorities require companies to bring qualified expertise into the management structure.

Four out of five data breaches at large companies begin in the supply chain. Defences between suppliers and clients will have weaknesses. Criminals exploit this default weakness. Once through a perimeter, technical defences will be weaker within. A ‘spoofed’ email from a ‘trusted’ sender is more likely to be accepted and attachments opened. Huge damage can be quickly created with a stolen or ‘spoofed’ email address. Being that stepping-stone can be a hard thing to recover from.

As a default setting, companies must ultimately be prepared for the worst. Being ready to respond effectively when (not if) an attack takes place is critical. It will likely make the difference between surviving or not. Trying to read up on crisis management 1.1 in the middle of the storm is not an optimal strategy. Effectively planning and preparing for it means a company immediately raises the likelihood of identifying, ejecting, mitigating and weathering a cyber breach. Having no plan in place much more likely means the opposite – financial and reputational damage, possibly fatal.

Bronzeye IBRM’s operatives all have many years of experience at senior levels in multiple environments, many of which required high level government clearances. We offer two types of service:

BeCyberSure – an affordable, subscription based support service which encompasses the entirety of a client’s InfoSec needs. Working with the clients’ own personnel, the service enhances physical, digital and governance through audits, mitigation assistance, network security monitor, compliance management tool, governance, training, support and assistance plus cyber insurance and legal specialists.

IBRM (Integrated Business Risk Management) – a project or ‘spot’ consultancy to advise, validate, test and audit all levels of a client’s information security needs or to create bespoke solutions.

Andrew Taylor

CEO of Bronzeye IBRM

BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.