HACKERS BROKE THROUGH the defences on Microsoft’s UK website and replaced the real content with a photo of a small child carrying a Saudi Arabian flag. Details of the safe house Michelle Obama would use after a White House evacuation were intercepted during transmission across an insecure peer-to-peer file-sharing network. The Vatican recently refused to comment on reports that it had fallen victim to a Trojan key logger that captures sensitive user information and exports it to a server in a remote location. If the biggest and the best can’t protect themselves from cyber crime, what hope is there for the rest of us?
As with most questions, the answer depends on who you ask. “There’s no such thing as 100% security,” says Latha Maripuri, IBM director of worldwide security services, while Jim Hansen, executive vice president at PhishMe, claims that “anybody can be phished. You don’t even have to leave your sofa to find out an awful lot about anybody.”
And while you might expect this sort of response from those with products and services to sell, it comes as more of a surprise when the UK government comes along with a warning that too few company chief executives and boards take a direct interest in protecting their businesses from cyber threats.
“Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property,” says business secretary Vince Cable. “By properly protecting themselves against attacks, companies are protecting their bottom line and ensuring that this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance.”
Apparently, cyber security is “all too often thought of as an IT issue, rather than the strategic management issue it actually is”, so the government has published a Cyber Security Guidance for Business (see box).
The guidance has been produced by the Department for Business, Innovation and Skills, CESG (the information security arm of GCHQ) and the Centre for the Protection of National Infrastructure (CPNI) to help the private sector minimise the risks to its information assets.
Fear is a powerful motivator, so it’s not short of scary examples of nameless entities that have fallen victim to cyber crime and lost market share, suffered material financial loss or severe reputational damage as a result. Nor is it short of reasons why boards need up-to-date information on threats and known business vulnerabilities, and it provides practical and comprehensive guidance on the steps required to achieve this – without getting too techy.
But are boards and management as unaware of cyber crime or as unprepared for it as the government suggests?
“There is always room for improvement. Most businesses recognise that the volume and sophistication of cyber crime is rising, but many are still struggling to fully understand the increased threat, let alone respond effectively,” says Mike Maddison, EMEA head of security and resilience at Deloitte, who welcomes the step the government has taken by raising cyber security as an overall business risk rather than just a technical risk. “People in the most senior positions need to understand this and plan for the worst,” he says. “But awareness on boards and audit committees is high, and many recognise cyber as a top five risk.”
According to Maddison, the challenge for many CEOs, CFOs and audit committees is to understand how real the risk is in the context of their organisation and find the appropriate level of investment to manage that risk.
“We’re aware of the government guidance,” says Nick Rawlins, director of finance with the radio broadcaster Lincs FM. “We take security extremely seriously and have policies in place to protect us as much as possible, and we have invested in making our systems as secure as possible. We know we can always be stronger or tighter, but it has to be cost-effective. How many spare tyres do you carry in case of a puncture?”
Lincs FM uses anti-virus software, encrypts wireless connections, uses firewalls, scans incoming files for threats, and has policies covering all aspects of IT security. “These policies are discussed at strategy team level, continuously updated, and regularly reported on to the board,” explains Rawlins.
At British Red Cross, meanwhile, talk of cyber crime doesn’t usually reach board level unless there is a specific incident to discuss – but this doesn’t mean that cyber security is neglected. “Regular penetration testing is carried out to reduce the risk of infiltration,” says director of finance and business development Rohan Hewavisenti, and adds that the charity has regulations, guidelines, policies, procedures and specialist tools to protect against all sorts of cyber threats.
According to Bob Tarzey, an analyst at Quocirca, ‘point’ security products, when used on their own, can no longer do enough, in the age of the targeted attack. “Hackers know how to deal with standard security through techniques such as encrypted and continuously morphing malware, internally deployed command and control servers,” he explains. “Detecting and stopping these requires more advanced techniques such as security information and event management tools that can detect threats by correlating information from a wide range of sources, including point security products themselves.”
Keeping up with the latest threats and approaches to managing them can be as much of a challenge as deciding on the ‘appropriate investment’, but it’s not been a problem for learning provider White Springs. “We have policies and procedures in place covering data access,” says chief executive Gary White. “But we keep all of our data in the cloud and rely on specialised third parties to provide a level of security that we couldn’t possibly achieve ourselves.”
This means cyber security is not a board level issue. “Discussions rarely come up,” says White. ”A number of the non-executives are in cloud businesses themselves so they don’t see it as an issue” – and that’s their excuse for not reading the government’s Cyber Security Guidance. What’s yours?
CAN YOU RISK IT?
High-profile security breaches and industry research show an over-confident approach to cyber security and highlight the fast-changing nature of the threat landscape, so the UK government is urging management and board members to recognise the strategic, financial and operational importance of cyber security and take action to minimise the risks.
Cyber Security Guidance for Business comprises three products:
The first is aimed at senior executives. It offers some high-level questions which should help to determine critical information assets, support strategic level risk discussions, and help to ensure that the right safeguards and cultures are in place.
The second product is an executive companion which offers guidance on the protection of key assets. It focuses on key points of risk management and corporate governance and includes some anonymous case studies based on real events.
In support of the executive companion, there is also more detailed cyber security information and advice that addresses ten critical areas. Issues are summarised by potential risks outlines, and practical measures and advice are provided to reduce these risks – and there is more detailed guidance endorsed by the Centre for the Protection of National Infrastructure.
TEN STEPS TO BETTER CYBER SECURITY
Your company can minimise the risks of being hit by an attack on its computer systems with help from the Department for Business, Innovation and Skills:
1. Manage information risk
Establish an effective governance structure and determine your appetite for cyber risks. Engage the board. Produce information risk management policies. Adopt a lifecycle approach.
2. Educate users
Produce user security policies covering acceptable and secure use of the organisation’s systems. Establish a staff training programme. Maintain user awareness of the cyber risks.
3. Protect networks
Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.
4. Manage malware
Develop and publish an anti-malware policy and establish defences across all areas of the organisation. Use automatic scanning.
5. Control removable media
Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing anything onto the corporate system.
6. Maintain security
Apply security patches. Ensure baseline security for workstations, servers, firewalls and routers. Conduct vulnerability scans.
7. Address user privileges
Manage user accounts from creation to deletion. Limit the number of privileged accounts and user privileges. Monitor user activity and control access to activity and audit logs.
8. Monitor activity
Establish a monitoring strategy and produce supporting policies. Continuously monitor all ICT systems and networks. Analyse logs and network traffic for activity that could indicate an attack.
9. Plan for problems
Establish incident response and disaster recovery capability. Produce and test your plans. Train the incident management team. Report crimes to the police.
10. Focus outside the enterprise
Develop policies for home and mobile working and train staff to adhere to them. Ensure your security baseline is met on all devices. Protect data in transit and at rest.