Secure in the Knowledge – Part 2

Three Business Customer
On: 5 May 2016
Share this post

Damian Griffin, CTO of Ireland’s Defence Forces, returns to tell us how corporate security thinking needs to evolve in the face of changing threats.

Businesses used to visualise information security breaches as being direct attacks on their core corporate systems, but as my last blog demonstrated, something as simple as a photo on Twitter or Facebook can release vital information into the wrong hands and cause extensive damage. When enterprises think about information security, they should consider that they may also be used as an accessory or vehicle, as well as simply being the main target of the crime itself. In this blog I’m going to talk further about the things organisations can do to evolve their thinking about security in line with changing security risks.

Consider back in 2011 when the Script Kiddies cybercrime group hacked Fox News’ Twitter account and reported the death of Barack Obama. There have been other similar attacks since. Fox and Twitter were used purely as `vehicles’ aimed at hurting the US economy and putting the stock market into shock – and it worked! This alleged act of cyberterrorism had implications for many innocent corporate bystanders.

The key point I’m making here is that the organisational defences and battle strategy now needed to address cybercrime must be simple and logical but also focus on much more than a direct attack. They need to reflect the fact that there are many more ways of hurting an organisation than there used to be, many more doors left unlocked and chinks in the armour. As a business, consider that you may well be a critical pawn in the cybercriminal’s game.

So how do organisations need to change their security thinking? Here are four things to consider:

  1. Think like the bad guys. It’s easy to take a defensive stance on security and spend time `putting more nails in the wooden planks’ only for the wind to change direction and cause damage in another way. Put yourself in a cybercriminal’s shoes. Think about what cybercriminals are trying to achieve, how they’re going about it, and how they are most likely to hurt you. To win the war we need to lose a few battles and learn from our mistakes. That gives us greater intelligence than the organisation that never gets breached and therefore doesn’t really know where its weaknesses lie.
  2. Think information management not information security. If you have data stored all over the place in different systems and devices, it is very difficult to keep an eye on where that data is and what’s happening to it. By focusing on information management, you are instantly reducing your necessary security effort because you can see what is happening to your data and taking action when things look wrong. You know where security needs to be applied.
  3. Think `evolution’ rather than `everything now’. Most IT adoption is evolutionary. We have to prioritise against corporate goals, and of course, budgets. But it’s easy for security to become reactionary, thinking that “we just need it in case…” rather than “it will enable us to…” You have to accept that building your security defences is an evolutionary journey and you can’t put everything in place instantly. This means you need to first focus on making IT simple so that silly mistakes and the opportunity for breaches are kept to a minimum. For example, virtualising the network to remove the massive endpoint and device risks that otherwise become all consuming. Remember, cybersecurity is an ongoing war not a single battle.
  4. Think future, not just today. What is your organisation going to look like in 10 years’ time? Will the gig economy mean most of your staff are freelance contractors using their own technology and less bound by corporate rules and policies? Will machine to machine computing have massively increased the volume of data being transferred in and out of your organisation and create a whole new cyber risk threat? One thing is certain – from a data perspective our organisations are only going to get more complex, so you need to think what the threats might be in the future and start working on how to manage them now. Security if often an afterthought to business change; it should be one of the first aspects of business transformation that is worked on.

The bottom line is that the critical factors in information security are simplicity and people. Simplicity needs to be an ethos you live and breathe, both in terms of the solutions put in place to manage security and the way you manage your corporate information. Keeping it simple enables you to retain control of an ever more complex and risky operational structure. And why people, not technology? Well, information is the cybercriminal’s prize and technology is key to both helping and preventing them from getting it; but it is people that are the critical potential weakness in between. Help your people to know the risks and protect themselves and in turn protect your organisation.

Remember information security is an ongoing war made up of many battles, some you’ll lose and learn from and gain the ability to win others.