Once again cybersecurity is in the headlines with more and more reports of state-sponsored cyber-attacks on businesses and government institutions. With the launch of the new National Cyber Security Centre (NCSC) and it having already addressed over 180 serious and sophisticated cyberattacks since its inception only three months ago it is clear that the problem is serious and all statistics show this is only getting more intense. Another thing that made me happy is that the NCSC does NOT recommend forced regular password changes or over complexity. A breath of fresh air in this interminable discussion.
It is not just government bodies that are being attacked; your business, however large or small, is just as likely to be a target. The difference is only the level of sophistication of the attack, and even then this is not necessarily a differentiator.
The real challenge is getting the business to understand the risks inherent in these attacks - and vice versa of course, the tech department should be able to advise the business on what the impact could be of a successful attack. For instance, in light of the recent statistics coming out about the thousands of daily attacks happening in Britain every day, what has your business done to minimise recovery time and costs? Are they ‘leaving it to IT because it’s their domain’? Or are they being proactive by considering steps the business itself can undertake to offset the cost of succumbing to such cybercrime? Have you allocated a budget for recovery? I wish I was as sure of winning the lottery as I am that 99% of businesses haven’t done any of this.
Businesses work through market risk analysis every day, but has the senior management considered the benefits of doing this with respect to cybersecurity? Part of the regular SWOT analysis should be cybersecurity and cybercrime under the Weakness and Threat headings. If you assume there is an issue and you won’t be surprised when it appears in its worst form. Cyber security and cybercrime can be equated to personal security: the bodyguard has to win every time, the assassin (cybercrime) only once. Here are a couple of examples:
Everyone has heard of it of course, but what is the impact of its effects? The IT department can inform as to the origins, effects and technical solutions. It is now up to the business management to work out the business costs and its mitigation of such an attack. Do you pay to get out of the situation? Do you make sure there are adequate backups to restore the systems under attack? How much data can you afford to lose? Of course, this leads to a conclusion often overlooked when considering business risk - one way or another it’s going to cost actual money to fix the problem. Work out and set aside a suitable budget to recover from such attacks. An unexpected cost will impact both good will and the bottom line in terms of reduced profitability. Prove to the market you have allocated resources to cover this risk and it will help market confidence.
External threats - Business Partners:
During the recent 2017 RSA Conference in San Francisco Zulfikar Ramzan, the RSA chief technology officer, said that businesses should consolidate their suppliers to reduce risk. He highlighted one business he knew of that had 84 security product and service suppliers. In principle I agree, up to the point when he said not to adopt a ‘leave no supplier behind’ policy by “doubling down (whatever that means) on suppliers who work well and ditch the rest”.
Does reducing your supplier list really have positive effects on risk? Or can it be negative by offering less choice and expertise, and potentially creating compromise in due course. Taking this approach is also likely to be expensive to put in practice due to the evaluation and contract re-negotiation process; instead, consider taking control of this supply interface by defining standards (including IT and security aspects to prevent incidents such as the Target breach) to which your partners and suppliers must adhere in order to conduct business - with proof of compliance. This is how businesses such as the car or aerospace industries work; whomever they choose to supply their business has to prove specific standards for supply or they do not make the supplier list.
No-one said it would be easy to protect yourself and assuredly you can never be 100% safe due to the war of attrition that is cybercrime but if you cover as many eventualities through thorough risk analysis then your business becomes safer to operate.
The Cybersecurity lesson:
Make sure the business works closely with the IT Department, otherwise security opportunities are lost.