The problem is that cybersecurity is everybody’s problem and unless every department is involved in discussions on the solution then no solution will be truly effective.
The USA’s National Association of Corporate Directors (NACD) puts it very well in its Cyber-Risk Oversight Handbook: “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue”.
It’s more than just keeping the bad guys out, more than firewalls and intrusion detection, and more than just spyware and malware. It’s about protecting your corporate integrity, such as making sure that the data your published reports are based on is accurate and unaltered. It’s also about availability, ensuring you, your staff and your tenants can access applications and information as and when needed. It’s about people, their behaviour, sometimes careless and sometimes malicious. And it’s also about prioritisation – what matters most and which information needs the most protection?
In this article, we’ll take a look at the current state of cybersecurity and what organisations should be doing to keep the information they hold secure and private.
What does ‘cyber’ mean?
The word cyber could, depending on the context, be replaced by computer, network, virtual or simply ‘very modern’, but keeping information secure and private is not new. What is new is the multiplicity of ways (‘threat vectors’ in techno-speak) that can be used to access your information.
In the following paragraphs we will look at the threats and the vulnerabilities that together create the risks that threaten the achievement of your objectives with regard to your valuable information. (corporate strategies and plans, tenant information, financial information, employee information and so on). We will also look at what can be done to minimise those risks and keep information confidential, accurate and available.
Where are the threats coming from?
Depending on your context and the nature of the information you hold, the chief threats could be one or more of the following:
- Aggressive competitors;
- Hostile nation states;
- Criminal organisations;
- Hackers and ‘hacktivists’;
- Disgruntled employees.
What are your vulnerabilities?
To access your information, they will exploit your vulnerabilities so it’s imperative that you’re aware of and address these. For a typical organisation, the vulnerabilities include:
- Unpatched flaws in operating systems and applications;
- Unwitting employees who are unaware of the methods employed by those who would steal and/or corrupt your data;
- IT system misconfiguration (akin to leaving the back door open);
- Mobile devices – whether under your control or not, they provide an access point to your information;
- Supply chains and service providers with poor cyber defences can offer an easy route to your information;
- Storing data in the cloud – do you know how secure it is?
The risks are what threatens the confidentiality, integrity and availability of your information. They include, but aren’t limited to the following:
- Denial of service attack – attacking your systems in a way that prevents legitimate users from accessing your information and systems;
- Extortion and ransomware – encrypting your data and demanding payment for the decryption key;
- Data breaches (external or internal);
- Data changed or manipulated maliciously;
- Spyware – stealing information and routing it to external parties;
- Identity theft – criminals masquerading as clients.
Managing your risks
The wide range of threats, vulnerabilities and resulting risks mean that the right solution requires a combination of preventative and mitigation measures. As you would expect, many of these have an IT component, but many are dependent on human behaviour and a sound corporate culture.
Preventing undesirable consequences can be achieved by a combination of the following controls:
- Policies and procedures – set the tone from the top and enforce good practice;
- Training and awareness – make sure people know your policies and procedures;
- Verify – train people to recognise attempts at identity theft and to follow strict rules on identify verification;
- Responsible person – have one person who ‘owns’ information security;
- Access control – only provide access to as much information as is required;
- Limited access between systems – only allow as much access as is necessary;
- Intrusion prevention – do you have secure and robust firewalls?
- Intrusion detection – do you know if you’re being attacked?
- Integrity monitoring – do you know if information has been altered?
- Monitor the traffic – do you know what information is leaving your organisation?
- Backup your data regularly – know how much you can afford to ‘lose’;
- Manage all mobile devices that can be used to access your information;
- Train all employees on good practice when using mobile devices;
- Get a third party to verify your defences, such as a penetration test;
- Monitor adherence to your own rules;
- Incident response plans – have a plan for when it does go wrong.
On an on-going basis, it’s recommended that a cross-departmental group is formed to discuss how to address the many aspects of information security. You can’t necessarily assume that your IT department understands your business operations, so you therefore can’t assume that they will have addressed all of your information security concerns. By involving people from across the organisation, you can be more confident that the solution(s) will be comprehensive and effective. If people are actively involved in designing a solution to a problem, they are then more likely to own it and implement it.
Some questions that this cross-departmental group should consider and which will help stimulate discussion:
- What information is sensitive, and how is it identified?
- Are there rules governing how sensitive information is to be treated?
- Who decides who has access to what information?
- How often do managers confirm that the access rights of those reporting to them are correct and appropriate?
- Have all legal, regulatory and contractual obligations regarding the information you hold been identified, and are there appropriate processes to ensure compliance?
- Have you outsourced any critical functions or activities? If so, is somebody responsible for ensuring that your service provider has security controls that comply with your policies?
- Do any of the products or services you sell include access to information systems? If so, are discussions on information security held at an early stage in the development of the products or services so that security can be built in rather than bolted on later?
- Do you actively restrict what can be downloaded and/or installed on computers?
- Does your HR department address information security concerns when recruiting or promoting people?
- Do you have robust processes around the sourcing and retention of information on which key business decisions are made?
- Do you have robust processes governing the transfer of sensitive data from your organisation to third-party organisations?
- Is somebody staying abreast of current threats and vulnerabilities and ensuring that your organisation’s defences remain up-to-date?
Reasonable best efforts
And if you do buy cybersecurity risk insurance, remember that the insurance company will still expect you to have employed ‘reasonable best efforts’ to protect and keep secure the information that you hold. Have you?
Gerard Joyce is the CTO of CalQRisk.