Secure in the Knowledge – Part 1

Three Business Customer
By:
On: 29 Apr 2016
Share this post

We invited Damian Griffin, CTO of Ireland’s Defence Forces to tell us how the world and its security threats are changing.

Do you remember the simple social media mistake that cost the US military $80m? Back in 2007, when a new fleet of helicopters arrived at an aviation unit in Iraq, a group of soldiers took photos that were then published on the internet. Using geotags, the enemy was able to find the precise location of the helicopters and destroy four AH-64 Apaches. In short, seemingly innocent and acceptable social behaviour caused a major information security breach. But not a single corporate computer system was hacked or attacked in the process; a clear demonstration that many of the information risks that companies face today lie outside of corporate data and networks. The world has changed and therefore our approach to protecting information must change too.

The first way the world has changed is in the way organisations operate. Trends such as – globalisation, flexible working, mobility, information consumption and sharing, the `as a service’ culture and more – are making data ever more critical to success and an increasingly precious asset. But they also add complexity to the way data is managed, accessed and kept secure.

People and society have also changed, the impact of this is felt way beyond the four walls of the business and its critical systems. In fact, the world is currently right in the middle of a period of `attitudinal diversity’ towards technology in the workplace. Older generations (in the military, let’s say the sergeant majors) are heavily aware of privacy and security and relatively conservative in their use of technology. Younger generations on the other hand (let’s say the front-line soldier) have a more open attitude to using technology, think less about privacy and are more concerned with staying connected with friends. This spectrum of attitudes poses wide ranging risks, from simple error by the unaware user, to an information leak by the socially connected individual.

Ultimately it is people that get hacked, not systems.

Corporate security must consider how the behaviours of individuals and the wider non-corporate technologies that are crucial to their lifestyle could create risks.

Finally, criminal entities are changing too. Cybercrime is no longer about bored techies doing it simply because they can. It’s big business, complete with financial targets, goals, objectives and strategies, even customer service in respect of holding people at ransom `politely’ as they decide whether to pay up and regain access to their data. The number of attempted breaches has shot up exponentially too, especially with the rise in automated `business processes’ behind cybercrime such as phishing campaigns. You’re not dealing with opportunists, you’re dealing with a different type of business person.

In my view, this increasingly complex and data driven world and the organisations in it, actually require increasingly simple security approaches. Enterprises need to make it as easy as possible for their people to become secure, stay secure and act securely. Take for example what tends to happen if someone finds that their progress has been blocked by internal process and procedures. Many will just find an unsecured way of doing their job – using a personal messaging platform to communicate if email is down, for example. Security is ultimately about people, not systems. Make your people secure and your systems will follow. It’s also about learning; changing people’s understanding about security and simple systems allowing you to learn how security risks have occurred and how to avoid them again in the future.

Read part 2