The vast majority of business executives surveyed during the Annual Global Information Security Survey believed their cyber security programs to be effective at securing the organization’s data. Unfortunately, the reality is slightly different. Firstly, there has been an increase in the number of both large and small organizations experiencing breaches, with nearly three-quarters of SMEs reporting a security breach; this is an increase on the 2014 and 2013 figures. Secondly, nearly all of UK businesses surveyed, regardless of size, expect that breaches will continue to increase in the next year. So we have some tension; a belief in being secure v. an expectation of being breached; interesting!
Those business leaders who believed their cyber security is effective at securing the organization’s data must understand, that the individuals behind these breaches are smart and innovative; their ability to create digital chaos within your organization will only get better. The irony of this is that unlike their victims, they are collaborative, exchanging targets, stolen data, inside information and contacts, and malware. They also understand that security is not 100%, and take measures to ensure the resilience of their operations and business – for make no mistake, data breaches are not done for fun, they are undertaken to make money; they are a business.
Let’s have a look at another interesting observation. The majority data breaches occur within a very short time scale, normally hours. However, the bulk of those data breaches are only identified after months have passed, with the reminder taking years to be discovered. IMHO, a vey small minority are never discovered.
You have to accept that ‘nothing is ever produced 100 pent cent secure’, and while the latest shinny widget might well be necessary for the organization’s digital security, it cannot ensure it; nothing can! Just accept it, and let’s move on.
And why can’t the latest shinny widget ensure your digital security? Well partly, it’s because of you; you are the weakest link, and partly because the role of an organization’s IT is changing. IT still touches every aspect of the business, and people still point the finger at IT, whenever there is a data breach, but the traditional aspects of IT, be it PCs, servers, databases, etc., has shifted to BYOD, cloud storage, social media, office productivity software. All of which are now seen as essential elements in running a successful business; working on the move, connecting with your customers. And we haven’t even mentioned the dreaded Internet Of Things!
Recent studies show that IT related spending within other areas of a business is increasing, with the marketing component of running a business taking the lead. In fact a rather contentious argument would suggest that marketers are now in charge of cyber security! What – you cannot be serious? Maybe this scenario sounds familiar?
“Every day there’s some new source, social media platform, data feed, document format, or language to monitor. We are trying, but we are falling further and further behind. We need some way to keep up with all of these sources and threats”.
So can we accept that IT is no longer seen as the gatekeeper? And if we can, is it true that the cyber risk element within your business resides with you? To reinforce that statement, have a look at this unlocked laptop on a train from London – it’s not yours?
As we have seen, the traditional view of cyber security is now an inadequate for today’s business environment. Quite simply, data breaches are inevitable; as noted, by Adam Philpott, Director of Cybersecurity at Cisco no less – “nothing is ever produced 100 per cent secure!” and this from a company that supposedly manufactures some of best security products in the world.
You must accept that a data breach will inevitably occur, and the ability to quickly identify and respond to a data breach, will be an essential element of your business’s survival.
“cyber security is dead!… long live cyber resilience!”
But what do we mean by cyber resilience? Some commenters have suggested cyber resilience is “about making you a less attractive target: making access to your systems difficult enough and unprofitable enough to steer attackers to lower- hanging fruit” Personally, I can see no difference between that definition and cyber security. Remember what ‘resilience’ actually means, ‘the ability to recover quickly from a difficult condition.’ Other commenter’s have suggested that cyber resilience consists of cyber security and business resilience. While almost there, it is still missing a vital and important feature: incident response.
IMHO, cyber resilience is a broad church; using technology, but more importantly people, and processes to manage your cyber security. The aim is to not only protect the organization’s data, but also recover quickly from a data breach, and consists of two phases:
- the protect part; ensuring your cyber security is as effective as possible [obviously], but with the realization that data breaches are inevitable,
- the recovery part; ensuring you have a robust independent incident response plan in place, that focuses on the identification of the breach, the how, when, were and why [Observe and Orientate], from which, the most appropriate response to that breach can be identified and implemented [Decide and Act].
In a series of blogs I have already outlined my view on how an organization can develop their incident response capability, and introduced the Observe, Orientate, Decide and Act loop; interested readers are directed to ‘security breaches are inevitable … the rise of the OODA!’, and ‘building an incident response capability: preparation’.
However, with regard to how an organization responds to a data breach, as mentioned above, it shouldn’t be a purely technical activity, there are other elements; people and processes. In particular, organizations have grasped social media as a way of communicating with their customers, and the appropriate communication of a data breach is essential. In a future blog with @AlanMcGeeSay, we will look at how marketers are now in charge of cyber security and their role in brand reputational management during an incident.