Cyber risk is a business risk, and building relationships between security teams, the board and the business is vital, argues Mike Gillespie.
There is extensive coverage of security and data breaches in mainstream and security press. Stories of cyber failure, ID theft and some very serious potential repercussions for national infrastructure, businesses and individuals are regularly found on most media platforms. Security professionals are all too aware that a breach or cyber fatigue can cause a sort of inertia. It is a result of saturation of cyber security events and can actually stop people responding positively to the threat.
It might help to use the UK’s terror threat – the fact that we are used to going about our normal business, despite the terrorism threat never having dropped below ‘heightened’ for quite some time – to illustrate how this inertia occurs. This very high threat level is the new ‘normal’; we have normalised it. It is impossible to remain as genuinely alert as this threat level requires for years at a time. The same applies to cyber threat and we cannot afford for this kind of inertia to impact our ability to protect our nation, organisations or people.
‘Taking a light-touch cyber approach is at best careless and at worst, dangerous’
Having said that, despite years of cyber security being seen, erroneously, as an IT issue, there is now growing interest from business leaders. They are starting to grasp this thorny issue and it is not hard to understand why, given recent legislative changes such as the EU General Data Protection Regulation (GDPR) and the Data Protection Act (2018), which will have the power to shake their organisations. But it is vital that this increased focus is harnessed to capture its momentum and minimise the risk of fatigue. In order to do this, we need to understand the drivers and there are many factors driving the cyber topic in business:
- a rise in successful attacks resulting in potential reputational and commercial harm
- increased media attention not only to the event or failure but to the remediation steps taken too
- the recognition that damage limitation to customers and business is potentially costly
- greater government focus on cyber resilience and the need for UK to be seen as secure to do business with, in and from
- closer engagement with business and people by the National Cyber Security Centre (GCHQ), which is giving advice, offering resources and generally raising the profile of cyber security
- changes to legislative requirements: breach is now a very costly affair
- contractual and service-level requirements from supply chain partners
- commercial good sense – many organisations see the advantage in being able to evidence the cyber security posture and resilience by gaining certifications and accreditations.
However, while some businesses are aware and fully engaged with their cyber tacticians, this is not true of all. And when things then take an inevitably bad turn, the ramifications are plain to see.
TalkTalk lost thousands of customers and had to adopt a 100% promotion in order to try and woo them back or replace them. The PR failure it represented was acknowledged as huge and the response from investors and customers unsurprising. The information commissioner was damning in her assessment of what had gone wrong and being in the ICO spotlight is rarely a good thing.
In another example, Equifax was breached, waiting three months to tell anyone, during which period executives of the firm apparently divested themselves of stock. This was good timing as share prices slumped 37% after the breach was made public. The reverberations for users of their services continue to be felt.
‘Senior people and the information assets they work with should never be outside of guidelines’
The interconnected nature of business means that taking a light-touch cyber approach (not based on solid threat and risk assessment) is at best careless and at worst, dangerous. If we are sharing information, platforms and services via cyberspace we have to understand that the threat is not geographically limited and we need to consider our wider business ecosystem.
We cannot hope to guess the motive of all attackers, all of the time. We can surmise what kind of information may be attractive to different sorts of attackers but assumption is dangerous. It is far better to understand the scope, scale and sensitivity of our information assets than to presume that if something isn’t financial, it would not be of interest to hackers or criminals.
When it comes to senior members of staff or board members, security protocols are occasionally overlooked. If you consider the issues around sensitivity of assets and protection of them, then you will probably understand why it is a mistake not to apply policy and procedure to all staff members, especially senior people, as they will hold, use and manage very valuable and sensitive information assets.
Principle-based policy, which means users are less bound by unnecessary restriction and are allowed to exercise good judgement, only works when you have a well-educated and trained staff, including the most senior people, who understand the guidelines and the risk. Senior people and the information assets they work with should never be excluded from, or outside of, guidelines. Their behaviours will set the culture for the business. When it comes to assets, senior people may:
- be valuable and vulnerable targets
- have greater access to a wider range of additional assets
- be used to compromise or discredit an entire organisation.
Building great relationships between security teams, the board and the business is vital. For security, the priority has to be to find a way to communicate with the board. Leadership skills must be brought to bear on security strategies and it is essential that an understanding of risk is properly disseminated.
A study carried out by research organisation Osterman in 2016, found that as many as 70% of boards may not understand the cyber security reports they receive and in turn only a quarter of cyber security professionals feel that risk is reduced as a result of their reports to boards. If risk is not being reduced then this is a complete waste of everyone’s time. Often in businesses, we find that security risk is not even on the same risk register as other organisational risk, so governance is not as great and there is a lack of integration with risk appetite as a result. It is often in these situations that we find risk can actually be a blocker and security used as a reason not to do things.
These often lead to a perception that ‘security says no’ so they will be avoided or protocols circumvented. In actual fact , if you share with security what you want to do and there is a risk-based approach which works within risk appetite and to risk tolerance (which may vary by department or role, for instance), you may find that your organisation is not as risk averse as the blanket ‘no’ approach would have you believe.
‘As many as 70% of boards may not understand the cyber security reports they receive’
Handled correctly, security can enable growth – but secure growth, with genuine risks managed and accepted where appropriate. As with policy, risk-management decisions need to be embedded within the business, so that decisions can be an integral part of the management decision making rather than considered the responsibility of a risk manager or a security manager. These roles should be leveraged as tactical advisers to allow good decision making to happen.
Sometimes communications teams may present a great cost-neutral resource on hand to help security talk to the business.
- They can help to help facilitate non-cyber-speak conversations that will help change behaviours around the business, including that vital place we need change, the boardroom
- Train your leaders – seems obvious but not all boards have a member who can champion and own the cyber security area and that is a potential threat
- bring security risk into the organisation and grow understanding of risk tolerances and appetites
- if security is still saying no to you after you have examined the risk together, then accept there may be good reason for this. Security is there to protect the overall asset which is everyone’s livelihood so the decision, after careful assessment, will not have been taken lightly.
The blame game
A failure in cyber security failing can impact on people in very real ways. We know that people are more often than not the enabler for failings and breaches. This is rarely due to malice or stupidity, but due to poor training or education, lack of embedded security awareness and the resultant failure to understand policies and procedures properly.
However, when it comes to the blamestorm after a serious breach, users will be placed front and centre when it comes to organisational blame. If people are unwitting enablers of failure, imagine how potent a defence they could form if properly and regularly trained. Backed up by suitable technical solutions, they could offer another great cost-neutral hardening capability to organisational security. Consider the Morrisons breach and its loss of payroll information; there could hardly be a better example of the impact of a data breach on people. It was brought about by a disgruntled ex-employee.
There is another consequence for people when it comes to cyber security failing. Many physical systems are now managed through cyberspace and so are just as vulnerable to attack, incapacitation or infection as the ‘traditional’ IT systems. Systems such as fire and life, air quality and air conditioning, building management – we need to make sure they are secured and properly protected. Ransomware is a kind of malware that encrypts files, rendering them inaccessible but also incapacitates systems making them unusable. We have been dealing with ransomware attacks for some time on corporate systems such as email, but ransomware is now available that will attack physical systems, even security systems, and prevent their use. This is clearly a health and safety matter. If an attacker has a motive of creating fear and chaos, holding an entire building to ransom is attractive.
Again, we cannot assume we know or understand the motivations of attackers. For some it is financial, and there is a tendency to assume this is the case with all. This can lead to the failure to protect some areas adequately. The motive may be disruption; if it is political or ideological in nature, for instance, this may be true. If that is the case, then it may be bold and noticeable.
However, if your business is not the actual target and merely a conduit to a larger supply chain partner, they may not want you to realise at all. The attacker may not be sure what they want and may spend a great deal of time on networks; looking around, checking out how far and deep into an organisation they can get; for example, if they are looking for research and development or other valuable intellectual property.
The point is, unless you are doing comprehensive and regular threat assessment and you combine this with a robust understanding of your organisation’s public image (that is, how you are perceived) then you just don’t know. The best approach is to know your information assets inside out and protect them accordingly, appropriately and with users in mind.
Keeping users at the heart of your policies is very important because users who feel that they are being prevented from doing their jobs or from creating efficiencies often try to find ways (frequently, successfully too) around security protocols and this is risky behaviour. The creation of shadow processes have the potential to compromise the security of all and leaves users vulnerable to exploitation too.
There are a great many standards, guidance documents and regulations available to all that can greatly assist organisations looking to build, consolidate or evidence their cyber resilience (see box).
Box: Standards and regulations
- UK Government’s Cyber Security Strategy
- UK Government’s Security Policy Framework
- UK Government’s Cyber Essentials and Cyber Essentials Plus
- International standard ISO27001
- National Cyber Security Centre NCSC – guidance
- GDPR and Data Protection Act (2018)
- NIS Directive
‘The best approach is to know your information assets inside out and protect them accordingly, appropriately and with users in mind’
Cyber risk, despite its perception in many organisations, is not an IT risk. It is a business risk and must be led and owned by business leaders. Business leaders must engage with their tactical advisers to ensure that they are better informed. It is inevitable that in the future a business leader will be held as liable for a cyber failing as they currently are for a financial failing. It is time for business leaders to step up and show true leadership in this area.