First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.
I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:
- Zero Trust
- The Security Skills Gap
- How phishing can be solved through security awareness training (pro tip: it can’t)
And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:
- TLS Weaknesses Lead to Ransomware
- Security is Simple (it, I’m afraid, is not)
- Managed Security Service Providers ensure security
In fact, there’s so much disinformation out there these day’s I tend to view part of “the machine” as a disinformation threat actor. That, however, has always been the case for every industry, and hopefully it’s the exception not the rule.
The challenges organisations face today are in fact simple in their origins:
- Humanity has connected vast amounts of the world to the internet
- Technology is pervasive in our lives and business
- Technology is incredibly complex when you look under the hood or more so with an electron microscope
- As a human race we haven’t really deployed technology historically (and still today) in a very secure manner.
Modern Day Cyber Threats
You only need to listen/look at the mainstream news to hear of major cyber incidents, we’ll go into some of those shortly, but the range of threats organisations face today is significant. We’ve always had to worry about business risks and threats, however as technology has both enabled the world to conduct business in new and exciting ways, it so has enabled a range of threats as well:
- Industrial Espionage
- Hostile Nation State Activity
- Insider Threats
- Denial of Service
- Unpatched Vulnerabilities in Internet Exposed Services
- Human Error (no, really, this is a real and prevalent issue)
Cyber security threats are real – a brief overview of some key cyber incidents
With the advent of the internet in the late 60’s through to the modern day, the explosion of digital systems and their integration into our lives and businesses continues to increase. From the first malware and worms in the 1970s through to modern day ransomware, DDoS and extortion as a service there have been major events that are changing the way organisations and humanity deploys technology.
Some key names in malware include:
- Melissa (1999)
- ILOVEYOU (2000)
- Petya (2016)
- WannaCry (2017)
- NotPetya (2017)
There are thousands of variants of malware created, these tools are commonly now used to support ransomware and other financially motivated cybercrime with high profile events including:
- Sony (2011)
- British Airways (2018)
- HSE Ireland (2021)
- Sunburst (2021)
- Colonial Pipeline (2021)
- JBS Food (2021)
- Kaysea (2021)
The list is simply massive, a few of these high-profile incidents have been recorded on Wikipedia:
However, this is simply a fraction of cyber enabled crime and data breaches.
We’ve seen huge disruption to healthcare, travel, and critical infrastructure services like oil. In some countries we’ve seen activity on critical national infrastructure alongside disruption of internet and communication systems. However, alarming the headline incidents are, we also must remember that fraud, insider threats and smaller cybercrime also can have major impacts to both organisations and people. There’s a myth that someone doesn’t have anything worth “hacking” them for, this simply isn’t true, everyone has something of value, be it resources that can be abused or simply extortion or social engineering fraud. From nation states, organised crime groups, petit criminals and insider threats, the digital world has a broad range of threats.
The CIA Triad
Ok this is less Jason Bourne and more management theory, however it’s useful to be aware of this model. In the security world Confidentiality, Integrity and Availability are held up as the three major pillars of security.
Often said in this order but, when it comes down to real life cyber security and keeping the lights on the order of organisational priority is almost always (except for some edge cases) is:
Like all things in life this depends upon a whole range of context, and it depends on the scenario.
“The state of keeping or being kept secret or private.”
“Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.”
“Ensuring timely and reliable access to and use of information.”
The CIA Triad Balance
In cyber security there is often a requirement to balance, balance:
As such there are a range of organisational drivers and requirements with regard to “how” and “what” an organisation MUST do and also, what it WANTS to do. For example:
- It may WANT to increase margin by reducing cost.
- It will NEED to comply with all relevant laws and regulations.
The reality of business is there are many areas of consideration, cyber security is one, and this all plays into the wider business opportunity and risk space.
Starting with the NEED
Let’s be realistic here, your first reason to care is a legal one. These aren’t optional (I’m focusing on the UK here because well this is where I do business) and whilst interpretation and case law clearly will provide some steering there’s some key general legislation you, as a business owner/leader will need to be aware of:
- The Data Protection Act (2018)
- The Data Protection (Processing of Sensitive Personal Data) Order 2000.
- The Copyright, Designs and Patents Act (1988)
- The Computer Misuse Act (1990)
- The Health and Safety at Work Act (1974)
- Human Rights Act (1998)
- Regulation of Investigatory Powers Act (RIPA) 2000
- Freedom of Information Act 2000
- The General Data Protection Regulation (GDPR)
- The Data Protection (Charges and Information) Regulations 2018
- The Digital Economy Act 2017
You will almost certainly need to register with the ICO as a data processor.
There is also a fee (unless you re except and there is a fixed penalty for organisations that do not register.
We can see there’s a fair bit of legal considerations that you need to be aware of, and subject to your business you may have industry specific legislation to consider, for example the National Health Service (NHS) need to be aware of Health and Social Care Act 2012.
Your organisation will have:
- A legal requirement to protect data
- Will have a range of market forces driving for information security capability
To work with some sectors, you may (certainly for the public sector) need to be able to demonstrate a minimum baseline of good cyber security practises. You will likely be required to contractually meet standards such as:
- Cyber Essentials
- Cyber Essentials Plus
- IASME Governance
You may also have specific vertical and customer specific requirement for security assurance.
On top of these driving forces, you will also have to consider:
- Brand and Reputation
- The Competitive Landscape
- Cyber Security as a unique selling point
- Security as a quality enabler
In the information security world so many often talk about risk and risk management, and absolutely these are key business capabilities and security capabilities, however there are also security opportunities.
A good security posture rarely can be achieved in isolation, digital services require funding, planning, designing, building, testing, operating, and retiring in a safe and secure manner. A stronger security posture also ties into operational efficiency, efficacy, quality and can be leveraged to dramatically enhance the customer digital safety experience.
In the security world it’s what you don’t know that bites hardest. This is generally similar to the business world. Investing in security is really an investment in your brand, staff, customers, and service/product quality. The reality is that today many organisations have weaker security postures than they a) realise and b) would like to admit. I can say through my travels that I often find organisations drastically underestimate their current states controls and capability and more, so the understanding of their security posture’s current state and investments aren’t where they need to be. There is a great deal of reliance upon overstretched and under resourced (and sometimes under skilled – see underinvestment) to simply “take care of it”.
Often searching for silver bullets of “buzz word” solutions doesn’t yield the return-on-investment people believe, security isn’t a product (not to say there aren’t some fantastic products out there, there are!) it’s a culture, programme, way of manging digital business risks. Good security starts with motivated, supported, and resourced people. Partnerships between vendors, service providers, public sector and private sector consumer organisations are key for security is never once and done, it’s a continual journey.
There’s a myth that there are two types of organisations, “those who know they have been hacked and those who don’t”, it’s far more complex, being vulnerable doesn’t guarantee a negative outcome, but I can say this for sure, there are organisations who are planned, prepared and ready to respond and there are those who are not. The one’s who are not will almost certainly suffer far greater impact at the hand of threats than those who are prepared. Cyber security isn’t a cost, it’s an investment in your business, brand, your people and your customers.