FUTURE FOCUS - Cyber security
In the brave, new digital world, technologies such as automation, the Internet of Things (IoT) and cloud computing are redefining the way enterprises...
From the classroom to the board:
Education is the key to outsmarting
Cyber security today
In the brave, new digital world, technologies such as automation, the Internet of Things (IoT) and cloud computing are redefining the way enterprises in every sector handle data and do business.
The opportunities are, if not limitless, yet to be defined. But the opportunities come with associated risks.
In today’s increasingly connected world, where data is a currency and valuable commodity, a single breach can compromise not just the organisation under attack, but an entire supply chain.
Cybercrime is accelerating at an alarming rate, and organisations simply cannot sustain the level of investment needed to protect themselves 100 percent.
But having the biggest moat isn’t the only line of defence.
In this part of our Beyond 2020: Helping you embrace transformation series, we look at how awareness is the foundation of robust cybersecurity, and how embedding education into your culture is the best way to protect it against an attack.
A brief history
In 1999, Wired reported that a previously unknown group calling itself Hackers Unite claimed responsibility for a stunt, which allowed anybody with a web browser to access more than 50 million Hotmail accounts1
According to the article, it was the most “widespread security incident in the history of the web.” Like many well-publicised hacking incidents at the time, the perpetrators saw themselves as a cybersecurity version of whistle blowers.
It is testament to the attitudes of a more innocent online age that the group’s claim was accepted.
Nobody, not even on Wall Street, appeared to regard the incident, huge as it was, as anything more devastating than an embarrassment for Microsoft.
Two decades later, hacking is acknowledged as what it has always been: cybercrime.
It is no longer the preserve of techno geeks, “white hats” and thrill-seekers, but a recognised branch of organised ‒ and sometimes state-sponsored ‒ crime.
In 2017, Europol confirmed, for the first time, that criminal gangs – highly skilled and well-funded groups around the world – had added cybercrime to their repertoires2.
In the 21st century, cybercriminal gangs operate on much the same lines as any legitimate business.
They’re highly organised and made up of skilled specialists, each with a defined role. And they are working on an industrial scale. As an expert in cybercrime explains,
"One person would be organising a targeted hack; another would be responsible for malware development; another would be the social engineer who ensures that the breach goes ahead; and then you have a hacker who can deploy the malware; then you have someone responsible for the finances."
Cybercrime isn’t only a problem for well-known organisations like Facebook, British Airways and Exactis either.
According to the UK Government’s Cyber Security Breaches Survey 20183, 43 percent of businesses in general, and 72 percent of large businesses ‒ defined as those with more than 250 employees ‒ had suffered cybersecurity breaches during the previous 12 months.
Even charities aren’t exempt, with 19 percent of the non-profits surveyed indicating they’d been hacked.
Criminals know there is now potentially more profit to be made in the digital world than the physical world. Cybercrime is already a $1.5 trillion business4 with annual revenues exceeding that of Facebook, Amazon, Apple, Netflix and Google combined.
1) www.wired.com 2) www.europol.europa.eu 3 )Cyber Security Breaches Survey 2018 4) www.experian.com
43 percent of businesses in general, and 72 percent of large businesses ‒ defined as those with more than 250 employees ‒ had suffered cybersecurity breaches during the previous 12 months 3
When the walls come tumbling down
The direction of travel in IT innovation is compounding the risk for organisations. As any IT security veteran will tell you, there used to be a clear distinction ‒ an endpoint ‒ separating the inside and outside of an organisation.
But as companies embrace digitalisation, IoT and the cloud to create inter-connected supply chains, it’s virtually impossible to define a clear, easily protectable perimeter, especially when that perimeter may actually lie outside of your business, your remit, your scope of control.
Even if you are investing heavily in the latest security software, can you be confident that every business in your supply chain is doing the same?
The stark reality is that every connected device – even those loaded with industrial-strength security applications – can be compromised, becoming a potential doorway into your enterprise.
The more devices you add, the greater the area of potential attack. As points of entry increase – as is inevitable in a world where everything is becoming connected ‒ it’s more difficult for cybersecurity professionals to identify and resolve vulnerabilities and keep track of all threats.
One strategy is to ensure clear siloes in your network. In many organisations, once a network has been breached, the hacker is free to travel anywhere, gain access to any and all information.
But by creating data siloes, ring-fencing your more sensitive data – such as finance or R&D – and restricting access to that data, you build up secondary and tertiary layers of defence.
To do that effectively means understanding your data. Different data has different value to different people, so it is essential for organisations to assess not just what is important to them, but what might be of value to someone else, and to protect that data accordingly.
Successful businesses have been investing heavily in digital literacy, both in their own workplaces and beyond, for some time already.
For example, Google’s $1 billion investment in digital education and IBM’s $70 million digital skills initiative in Africa.
Over the past two years, 45 percent of UK organisations had fallen foul of phishing attacks 5
Educating the workforce
There is no panacea for all cybersecurity ills. Nor does spending more money on the latest or most innovative security solutions guarantee protection.
A report issued earlier this year claimed that, over the past two years, 45 percent of UK organisations had fallen foul of phishing attacks 5.
All it takes for a phishing operation to be successful is for one employee to open a single email.
This demonstrates perfectly the key mistake many organisations, and employees, make: the assumption that cybersecurity is solely an IT issue.
In fact, for a security strategy to be effective, security must be the responsibility of each individual employee ‒ whatever their role, from the C-suite to the factory floor or IT department, and whether they’re in an office or factory, on the road or at home.
Journalist Mischa Glenny says,
"It is astonishing to see how many companies are still risking their entire existence by not integrating a culture of digital hygiene into their work."
To be effective, enterprise-wide cybersecurity must be based on engagement, not compulsion.
If you want your employees to be fully committed to digital hygiene, they need to understand their responsibilities ‒ from using strong passwords to locking their laptops in a drawer before going home.
With phishing emails becoming more and more difficult to spot, employees need ongoing training in how to identify suspicious links.
Crucially, employees need to understand the importance of reporting any potential breach as soon as possible – and be reassured that they can do so without fear of reprimand.
Being prepared is the first line of defence. Organisations should assume that a breach is inevitable, and prepare accordingly. Identifying a breach quickly and accurately is the first step.
Even major incidents ‒ such as the one involving Yahoo in 2013‒14, in which 3 billion accounts were compromised ‒ can go unnoticed for a significant amount of time, and the current average is 100 days for an attack to be identified.
Next, clear roles and responsibilities need to be assigned so that, should an attack occur, the response will be fast, decisive and concerted.
Who can authorise the shutdown of part or all of a network to prevent the hack from spreading? Who can sign off a ransomware payment? Who will manage communications? Who will ensure the Information Commissioner is informed within the deadline?
One of the most important roles will be that of the company spokesperson.
Companies that are perceived to be open and honest about a breach suffer significantly less brand damage than those that appear to cover things up or deflect responsibility.
The strategy you adopt should focus on finding a technical resolution, but other aspects should also be considered.
For example, the operational implications and management of legal and regulatory risk plus the most effective means of tracking and reporting.
Another factor to bear in mind is that an attack may, initially at least, have a limited impact. Many enterprises underestimate the value of sharing intelligence when a potential threat is uncovered.
Alerting all relevant departments and people within the organisation to a potential threat will reduce the chance of the threat recurring elsewhere in the enterprise.
“Cybercrime is now a mature industry operating on principles much like those of legitimate businesses in pursuit of profit.”
Tamas Gaidosch, The Industrialization of Cybercrime, International Monetary Fund, June 2018
Ultimately, security is the responsibility of the CEO. It’s up to the CEO and leadership team to drive investment not only in the security skills your IT team will require today and tomorrow, but also in educating the entire workforce and initiating good security practice
Board members don’t have to be technical gurus, but they do need to invest time in developing the level of understanding of security issues needed to probe, challenge and support their IT and security specialists.
The threat is often in the detail, so board members must invest time in drilling below the surface.
Adding non-executive specialists to the board, potentially supported by a board sub-committee, would bolster expertise and provide easy access to informed and objective advice.
Key actions for business leaders
- Assume a breach is inevitable.
Everyone is at risk, everyone is a target of this heavily industrialised and organised criminal activity. If a hacker really wants to breach you, they will. What you can control is how you respond. Preparation is the best line of defence.
Outcome: A clearly defined strategy and focus on security will limit the overall impact on your business.
- Educate the board.
Security must be embedded in your organisation’s core operation ‒ it must be a way of life. That starts with the board. Business leaders need to lead by example: be ready to learn about and understand the issues, support investment, advocate and be seen to implement good practice.
Outcome: Security will become a shared responsibility and a way of life, part of every member of staff’s daily workload.
- Educate the workforce.
IT won’t protect your organisation from cybercrime, your people will. You need an enterprise-wide strategy for digital hygiene. Your defences are only as good as your weakest link, so education must reach every employee.
Outcome: An educated workforce that understands the value of the role they play in securing not only your company’s data, but also the future of the business ‒ and their own jobs.
- Understand your whole perimeter.
Tier your data. Decide on priorities and invest most heavily in protecting your company’s sensitive, high-value assets.
Outcome: Tailored and effective security that provides the best return on investment and maximises your budget.
- Be prepared to respond.
Cybersecurity incidents are inevitable. Governance of cybersecurity risk is important, but it’s even more important that you can respond quickly with effective governance and implementation when risk becomes a material threat.
Outcome: An effective, timely response that minimises harm across your organisation’s extended network and mitigates damage to corporate reputation.