Using the cyber attacks on other firms to drive defensive strategy
If there is one thing that recent cyber-attacks have shown, it is that nobody is safe. Threats hit big companies and public organisztions alike, and they touch politics as much as everyday life. The vulnerability of IT systems has been a common trait over the events of the past months, and yet one has to wonder whether the lesson has been learned.
In the aftermath of a cyber-attack, even one that has been stopped at an early stage, companies should take the time to consider what measures for prevention and recovery need to be put in place.
Putting together a package to defend against something that may or may not occur can sometimes be difficult to justify. For some businesses, it might take the unpleasant experience of being breached to prove the importance of an adequate cyber-security strategy.
The need to balance the books is a key driver for high level management. Unless a breach has previously been experienced, those trying to put strategies in place are only ever dealing with ‘what if’ scenarios. That said, vicarious experience is a robust tool: look at what competitors have experienced and use this to make convincing arguments.
In my experience, risks need to be quantified along with the likelihood of something happening. This makes it easier to make a persuasive argument.
Quite often, “once bitten, twice shy” tends to be the rule: businesses and individuals will become hyper aware of the route used to breach security after they’ve suffered from it. This may lead to wider implementation of security measures – or, it may actually cause a blind spot where the only threat that can be seen is the one that has happened before. This could leave other avenues open to criminals, as well as new areas for risks.
Automation will continue to be the biggest weakness for business, which is likely to be exacerbated by the increasing reliance on systems to manage business activities. Take data analysis, for example: many businesses make decisions without any real interpretation of the data or understanding of where it came from.
This means that false data designed to make businesses harm themselves could become a growth area. It would take effort, but the ability to falsify data is already there – it just needs to be applied on a larger scale. As the lines are blurred between "real" and "false" data, it will become increasingly difficult for businesses to use data analysis to drive their decisions.
Other than infrastructure, businesses need to remember the importance of preparing staff to deal with cyber threats. A number of different organisations are providing training opportunities, but there are some issues with this.
Firstly, there does not appear to be any consistency in the standards and content of the training provided. This may impact upon the quality of the provision: will it actually provide useful training that will have a positive effect on the business? Secondly, there does not seem to be any accreditation for learning providers, which means that the overall training will not be centrally assessed.
Having said this, there are benefits to having a number of providers which are tackling the issue in different ways. Cyber security is such a rapidly changing field that allowing a degree of independence will help providers to innovate and address specific threats in a way that would not be possible with heavy central oversight.
However, businesses need to be confident that they are going to get value for money from any training initiative, so there is still a need for the accreditation of training providers.
It is clear that vigilance and preparation need to be watchwords in modern business in order to mitigate against attacks. The balance between managing infrastructure risk and addressing the risk posed by people is hard to strike, but absolutely essential.
In all cyber security scenarios, people are the confounding variable. Understanding motivations, drives, and needs is as important as understanding the underlying technical aspects of security. Similarly, teaching people how to protect themselves effectively is critical in ensuring that these strategies are successful.