All companies and organizations are subject to cyber threats. How can the vulnerabilities, probabilities and impacts be reduced to an acceptable level?
Information Security incidents may take companies completely out of business. But with the right leadership, guidance, tools and employee involvement you can secure your information systems and your data.
Why “Information Security” instead of “Cybersecurity”?
Not to get hung up with semantics, but Cybersecurity commonly covers security related to digital technology connected to internet. Information Security additionally covers non-digitized information assets – which is equally important for the overall security of an organization. For this reason, we will mostly refer to Information Security as it has a wider scope.
But it will never happen to us!
Most organizations are expected to experience some type of a data breach at some point, and it is estimated that 40% of breaches are never discovered. 71 % of customers say they would cease their business relationship in case of a data breach, and 60% of SMEs go out of business after 6 months – 90% after 2 years – following a serious data breach. Hence, not securing your information systems and data may have fatal consequences for your organization or company.
The cost of a data breach may be considerable: recovery of IT systems, legal penalties, civil lawsuits, lost reputation, and customer confidence – on average $3.62 million. However, the lost trust from customers, partners and own employees is an intangible which is often the most devastating.
With 350,000 – and increasing – new threats being launched by cyber-criminals every day, this is a serious and real threat to anyone connected to internet. Due to this high number of continuous new threats, conventional countermeasures will at any point in time only protect against 65-70% of cyber threats. This is due to the fact that they need to learn the pattern and “signature” of the new threats prior to establishing an effective protection. Some are enhancing their detection algorithms with AI tools, but are still failing to recognize new threats, as cyber-criminals also use disruptive technology to launch ever more complex attacks.
So, what are we really talking about?
All information systems have one or more vulnerabilities: some minor – some more profound. Even with the very best information security designs and measures, there will always be some way to breach systems, due to the sheer fact that technology has to have a minimum level of user-friendliness and that they are exposed to the internet with its numerous malicious actors. If information systems were made absolutely secure (not really feasible) most of us would simply not use them due to significant inconvenience and time waste. And even with the best of security measures in place there is always the option of users being tricked to download malicious content (malware) or disgruntled employees deliberately placing malware on internal systems. As a matter of fact, 91% of all sophisticated cyber-attacks start with a “phishing” email or some other attempt at social engineering. And if that was not enough – keeping all systems, platforms, operating systems, applications, databases and software up to date and protected is often a considerable challenge.
From an organizational point of view, the work force should have access to what they need in terms of time, processes, technology and information to obtain the highest level of productivity possible. Information Security is often seen as an obstacle to achieving this, while common sense and security knowledge demands that a balance is found between these two aspects.
The “right” level of security depends on the risk appetite of each organization. Some are willing to accept a higher level of threats with potentially higher future rewards in return. E.g. using a wider variety of software – including freeware – with few restrictions in order to “get the job done”. This is of course fine if the organization – and not least its senior management – is fully aware of the probability and impact of existing threats and accept these, as well as being aware of their associated accountability. The problem is that such awareness is not common, and that quality risk information is rarely provided to board members and executives in order to make informed decisions.
If one observes the common security measures in many organizations one will quickly realize that they attempt to protect all information systems and all data, which spreads thin their resources and which rarely is an effective strategy. One of the immediate measures commonly following an information security assessment, is to identify and categorize the various systems and data, and determine criticality and confidentiality with subsequent prioritization of security measures.
Organizations often aim at introducing rigid and big frameworks for Information Security, which are complex, costly, time-consuming, and with few or no “quick-wins” in sight. They do additionally require considerable resources to operate and maintain. Especially for SMEs this is not a viable strategy, and more pragmatic and tailored solutions must be found.
With the recently increased modality of remote work and telecommuting employees, the overall cyber threat to organizations has increased. Remote workers do not have the same perimeter security as they do in the office. Furthermore, they may be working on personal computers and other devices without organizational standard security measures installed.
In summary – there are many threats, all systems have vulnerabilities and the chance of being breached is considerable. The good news is that remedies exist, and that relatively simple countermeasures may go a long way in preventing many of the most common breaches.
Who owns Information Security?
Ensuring the safety and security of the assets – including information assets – of an organization is an Enterprise Governance domain. I.e. the accountability – legally and administratively – sits with the highest level of authority in the organization. For a company that is typically the board members and/or the executives. For other organizations it may vary, but at least a strategic governing body will have the ultimate authority to accept, defer, avoid or mitigate Information Security risk. And they will be requested to respond to legal proceedings in case of data breaches and/or non-compliance with relevant laws and regulations. There is various expertise involved in providing the governing body with facts and figures to ensure accurate decisions are made related to such risk. These could be the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), an Information Security steering committee, Legal, technical advisors, external consultants, and so on. Responsibilities and daily duties will obviously be delegated to parts of the organization, but the mentioned accountability cannot be delegated. This is equally an important aspect to keep in mind when external expertise is hired to strengthen this domain internally, and/or when security services are outsourced. In addition to the legal accountability: everyone in an organization has their part of the responsibility to safeguard information systems and data.
What can be done?
Unfortunately, there is no wide-ranging “quick fix”, even though some measures can be implemented swiftly. An effective defense against cyber threats is multi-layered, also known as Defense in Depth (DiD). The main principle behind DiD is that if one layer is penetrated by malware, the next layer will represent an even harder barrier to enter internal systems. One main pitfall for many organizations is the heavy focus on one or a few vulnerabilities, threats, and countermeasures. Furthermore, with the heavy focus on threat detection and prevention, many organizations possess insufficient capabilities and capacity to respond to actual information security incidents.
The reality is that organizations must approach information security with a holistic view, looking at all aspects of the domain. This require both strategic and high-level insights, through tactical and operational knowledge, all the way to technically sound expertise. These insights will form the basis for a risk assessment which may inform decision-makers about the various vulnerabilities, threats, probabilities and potential impacts. Such a quality assessment will ensure priorities for security meaures are set according to strategic business needs, goals and objectives.
There is always the strategic path and certain quick wins within reach. The former path relates to information security policies, strategy and programming. The latter is about finding and implementing quick wins to gain momentum, demonstrate business value and gather support for the strategic part. Similarly, quick wins tend to deliver limited and unsustainable value without the backing of a sound strategy. All along, Information Security professionals at all levels must be agile and pragmatic, providing their advice and identifying solutions which is tailored to the context and the environment.
Quick wins could be to implement strong passwords, professionalize and outsource perimeter security, conduct awareness training, establish a governing body, perform a high-level assessment – including a legal compliance review and a quick asset review. Furthermore, one should always take the opportunity to swiftly rectify obvious and high-risk vulnerabilities – both administrative and technical ones.
In the longer term – and aligned with the policies, strategy and programme – a dedicated strategic function covering Information Security organization-wide ought to be established. If already in place in a technical department, such a function (e.g. the CISO) should be relocated as an independent and strategic position reporting directly to the highest authority in the organization. Alternatively, an interim or part-time position may be considered for SMEs.
What about technical countermeasures?
Absolutely – and obviously a crucial part of the DiD concept. However, investments in technology to safeguard information systems and data are less likely to deliver value and effectiveness unless security becomes embedded in the organizational culture. And culture is heavily influenced by the strategic level’s behavior and actions. I.e. effective Information Security requires good governance!