Mark Stollery is a cyber security expert at PA Consulting Group.
In this article he describes how organisations can best go about protecting their critical information.
If you have an article that you’d like to share on grahamcluley.com, please do get in touch.
Recently the UK’s security chiefs urged businesses to review their cyber governance as part of an ongoing campaign to raise awareness of the cyber threats facing UK businesses.
For many, cyber defence has traditionally relied on having a strong perimeter, achieved through sophisticated firewalls, external access controls and anti-virus software.
But recent experience – and the call from the chiefs to make cyber security a governance and leadership issues – shows that having a strong perimeter is no longer enough.
If giants like BAE, Google, Lockheed Martin, Qinetiq, Sony, the Australian security service and the US Army Corps of Engineers can all be vulnerable to cyber espionage, what hope is there for the rest of us?
The good news is that you can still keep your information secure. You just need to accept that, if your organisation is like a castle, then the cyber threat is no longer a simple battering-ram or hail of arrows. It’s more like a plague of rats, coming and going at will.
Strong walls won’t keep them out, but they can be stopped if you take the right precautions.
You can’t defend against everyone, so start with your enemies
There are many cyber attackers around today, from nation-states to organised criminal gangs, from politically-motivated ‘hacktivists’ to solitary teenagers. Each will target organisations for different reasons.
As it’s unlikely that all of these attackers will have you in their sights, your first step should be to identify the true, rather than the imagined, threat.
Once you have identified your adversaries, you can form a view of their capabilities and techniques.
The spectrum is wide: hackers use simple tools to deface a website, whereas foreign states can steal data without ever being detected.
This means that different aspects of your organisation will face different threats, and will require you to implement appropriate defences. For example, theft of IP is different from a denial-of-service attack, so your precautions and response should vary accordingly.
You can’t protect everything, so protect what’s most important
It’s unrealistic to try and protect everything, so you should focus on safeguarding your critical information. This is the material that, if shown to be unprotected, will damage your reputation and business.
But you cannot protect your critical information if you don’t know what it is.
Critical information varies from business to business and might include pre-patent IP, proprietary algorithms, customer data, strategic expansion plans and bottom-line negotiating positions. Once you have identified what information counts as critical for your organisation, you should prioritise it as such and ensure that it is protected.
This means knowing where your critical information is held.
This is very hard because people can easily copy, send and print files, and keep data on external devices and Wi-Fi networks.
But you can start by establishing who hosts your backup or Cloud service, where your data servers are physically located and whether their security measures match up to your own.
And can you be absolutely sure that your critical information is not currently sitting on an employee’s personal device or home computer so they can work on it over the weekend?
You also need to control access to your critical information as much as possible. Network access permissions, and the rigorous enforcement of them, are of crucial importance here.
It’s also essential to watch out for vulnerabilities in your external partners’ security standards.
Firewalls and software will only get you so far – success relies on strong leadership
Most cyber-attacks are unsophisticated and succeed only because the victim does not take basic precautions. The Australian government says that the top four measures (out of 35) to mitigate against cyber-attacks prevent over 85% of attacks. The UK’s equivalent advice (CESG’s “10 Steps to Cyber Security”) recommends similar ‘housekeeping’ measures.
The very few organisations at threat from world-class attackers such as China-based cyber espionage groups need to take additional technical, organisational and policy precautions.
For some, this means drastic measures – even reverting to keeping blueprints in hard copy.
But, for many, the single most important strand of defence is staff.
Cyber spies are adept at duping even the most loyal and intelligent people and getting them to reveal cyber weaknesses. So staff must be made aware of the threat, must learn the more common techniques, and react properly when they spot something suspicious. Training must be tailored to make it relevant, memorable and effective at driving behavioural change.
Ultimately, the difference between success and failure in cyber security is leadership. Smart firewalls and anti-virus software will only get you so far. Senior executives must set the tone, instigate and maintain the right corporate culture and lead by example.
Cyber defence isn’t easy, but it is possible.
For some useful pointers, try the new outcome-based cyber security standard, PAS 555, developed by a consortium of industry groups including PA Consulting Group.