By George Davies, CEO, MooD International
It is not possible for business to be conducted today without engaging with the wider cyber world. While this brings with it advantages, such as economies of scale and 24-hour access for some services, it also has inherent risks, as any online system is to some degree open to attacks and disruption.
Rather than simply pouring money into what can be a black hole in the fight against cyber threats, businesses need to be smart in assessing their vulnerabilities and be more proactive in joining the dots to their business objectives.
The misallocation of resources in fighting cybercrime is influenced more by economic and political factors than behavioural ones. Due to globalisation there can be many victims of the same scam in different jurisdictions, which reduces both the opportunity and motivation for police action.
But what does this mean for business, and what steps can be taken to reduce cyber risk? Here are three things for IT departments and board members to keep at the front of their minds:
1. It’s not about absolute security, but prioritisation and the business case
A starting point is to recognise that the threat is real, affecting all businesses and state organisations, and also to realise that there can be no 100 percent protection.
A fortress mentality is simply impossible due to the connectedness of the way the modern world works. The most important thing is to understand the impact of threat scenarios on the business, and to ensure that investments are focused on the assets, services, or capabilities that drive key business outcomes.
By understanding the impact of potential threats on business objectives it is possible to prioritise those areas that warrant priority investment in security.
2. It’s not just about how IT runs security, but about business operations
The degree of risk that can be posed to a business by a successful cyber attack needs to be acknowledged and addressed at board level.
One implication of this is the need for transparency and visibility across the organisation, so that if a problem occurs it’s possible to get the right people involved and mitigate negative impact.
Such activity is not limited to technical recovery; it might also include public communications, supply chain re-configuration or limiting the abilities of personnel.
3. It’s not about reacting to past events, but about anticipating the effect of future events, regardless of where these come from
The business needs to be aware of the potential consequences of its actions in terms of provoking greater interest from those who are intent on causing harm.
Things like new product launches, or newsworthy activities, or sharp increases in performance can all trigger un-wanted interest. Campaign planning across the organisation needs to anticipate the threats that may be provoked and establish necessary protection. This demands transparency and visibility, together with top-level acknowledgement of threats.
The perpetrators of cyber crime are agile, dynamic and unpredictable, which means that a confident proactive approach to cyber defence is hard. However the alternative is to commit to a strategy of ‘hope for the best’ plus fire-fighting as and when vulnerabilities are exposed.
Well-publicised best practice security measures – for example 10 steps to cyber security published recently by the UK Department for Business, Innovation & Skills – provide an excellent backbone.
Software now available allows executives to monitor, through the use of a plasma screen in their offices, the effect a problem in one part of the world can be having on other parts of the business.
This is achieved by having a heat map which shows in close to real time any issues that are occurring across the network. By turning certain regions red, executives are then able to drill down into that area and find out where the problem is and what effect it is having.
This could be a data centre in Bangladesh causing problems for a call centre in North America, or online political protest meaning a new oil platform in a politically unstable area is under cyber attack.
The right, targeted investment in technologies and skills, gives businesses the ability to identify and align cyber threat with business aims, so that they can be much smarter in closing serious security threats before they are exposed.
Cyber defence needs to be handled as a Board-level risk by organisations, based on clear understanding of business-driven cause and effect consequences.
Cyber security is not just about throwing money at a problem in the hope that it will go away. A targeted approach is possible, but only if there is a clear understanding of what drives achievement of business objectives, backed by a transparent view of what is actually happening in the business, and a connected understanding of cause and effect.