As a management executive you may not feel deeply interested in data security, especially if you aren’t ‘techie’ in any way. However we still can be – (indeed have to be) – part of the prevention of data loss. To do this we must encourage a culture of cyber security and understand what we can do to assist our security specialists.
It is Not Just for the IT Department
We hear about new data breaches almost daily in the news. Crisis communications are delivered and usually the data breach is remedied.
The gate has been shut but the horse has already bolted. All the while we are counting our lucky stars it wasn’t our department or company this time…
The Cost of a Data Breach to Reputation is Huge and Costs to Remedy are Significant
We all remember hearing about Yahoo being breached in 2017, knocking off $350 million off their share price. After selling its digital properties to Verizon for $4.8 Billion, they even resorted to changing the name of what remained to Altaba Inc. The Importance of Cyber Security for Non-Technical Executives is crucial and can be interesting too.
There are numerous other well known cases. In the UK Talk Talk lost 150,000 customer records which is reported to have cost the company £60 million and lost it 95,000 customers. There was a £15 million trading impact. At this point the company is involved in being sold to new owners. The reputation damage for the Chief Executive at the time of the hack was immense and she subsequently stepped down. The Importance of Cyber Security has been proven so many times recently, with example after example…
As a recent case in point, a premier league football club did an analysis and found that of 1400 applications were being used, only 250 were officially sanctioned. So, over a 1000 of these were not under secure control. These sit in the mass of 24000+ applications in the marketplace. The premier league club management was mortified with these results, especially considering how few employees were using the network and how some of their data was being stored insecurely in some of these rogue applications.
Preventing Disaster is the Responsibility of the Entire Organisation
The whole management team needs a top-level view of cyber security risks, so that they can encourage a culture of data security, encouraging awareness throughout the business and adherence to the correct operating protocols.
Everyone needs to understand more about cyber risk to be able to effectively assist those who are operationally responsible for implementation of the appropriate security controls. A culture of defence needs to pervade all organisations at all levels.
It is worth reflecting that in all cases of cyber breach and data loss, the buck stops with the board. Most obviously so with the Chief Executive.
Establishing Strong Working Relationships with your Head of Security
To minimise the risk of cyber breach, executives need to establish a solid working relationship with the Head of Information Security or other data-responsible leaders within the business. It’s also possible that your business uses an external security consultancy firm for this function.
What and Where is the Data and Who Should have Access to It?
Many organisations have no idea who is doing what with their data! What permissions are granted to staff around that data and how to control the sensitive use of company data is a huge policy matter.
Cloud Applications can Cause Major Risks
When you are, in effect, renting a service and using an application you must know where your data is stored and how it is processed or transferred. As a simple example – is it or is it not encrypted or transferred under encryption?
Machine Learning and Artificial Intelligence (AI)
Machine learning is now capable of understanding abnormal behaviours and activities, comparing, and drilling down into the details of the behaviour, and learning what is going on.
Artificial intelligence can give us early warning signs that we are losing control of our data, so using machines to do this is a feasible element of your overall security infrastructure.
Like any new process within IT there is a lot of sweat and toil in the first few months of setting up the machine learning, AI, mining and mapping of data. It’s very well worthwhile though!
There is No Silver Bullet with Data Security
There is no silver bullet to solve the problem of personal data, though one potential idea is “pseudonymisation”. This is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. This can mitigate much of the risk with data breach.
Good security methodologies need to understand behaviours and anomalies in their entirety, so they can detect the problems on the networks. The importance of cyber security is paramount, especially these days of working from home.
No technologies will cover all platforms and all technologies, so we need try to minimise this risk and piece together the software applications that monitor our users effectively. Also, we may still need to find out if the apps we used in the past and the associated data files are in a safe state, even though not in current use.
Hire a Breach Hunter or Friendly Hacker
Most heads of security already have a stack of outstanding work, including a pile of bring your own device (BYOD) activities to deal with before they can think of spending time on breach hunting themselves. So hiring a trusted “white hat” hacker is good from time to time. Hiring a third-party specialist also eliminates any internal sensitivities.
This is presuming that the company’s board can allocate resources to patch the probable holes in the system of course. Finding potential breaches and doing nothing about them through lack of resource is in itself a potentially damaging set of circumstances! Sometimes the breach reports can cause security professionals a real headache as there are so many threats it can be too much to handle in one go.
Detecting Behaviours and Compromised Devices is Key
These dangerous abnormal behaviours and activities are often created from compromised devices or applications that have been accessed or downloaded without appropriate security protocols.
There are over 24000 web apps that exist and any of these can create a weakness. When your company’s data is shared with these unknown applications and cloud accounts, non-secured and often non-visible gateways into your infrastructure are often unwittingly created.
Only Authorised Devices Should be Used in Corporations
“Bring Your Own Device” (BYOD) has caused so much data insecurity over recent years. There are usually at least one or two of these devices, probably not security patched, not running the corporate software though almost always with sensitive data access. Something like a personal MacBook Pro in the chairman’s office is a good example. It probably has personal application software; no true corporate security software and it is probably not patched to the corporate level. Then it connects to the company network and data and becomes a wide-open door for a security breach!
Protocols are Ignored in Many Cases Despite the Importance of Cyber Security!
People must not share accounts, must log out when not using devices, must not use privileged accounts, and must close accounts when people leave employment. Frequently devices in many cases are not known about by the security regime and multiple applications we haven’t heard about litter the landscape, as mentioned earlier.
As you are probably aware, or have gathered from reading this blog so far, data security is a minefield and to discuss the topic meaningfully in the boardroom it is necessary to have a good clear understanding of the basics at the very least. Understanding that seemingly small and often unrecognised events can lead to massive corporate risk must become an ever-present thought process.
Internet of Things (IoT) is Another Huge Security Risk
The Internet of Things (IoT – any internet-connected sensor or triggering device) is another good example of something that has often not had the adequate security protocols implemented within new business processes. So we need to reverse engineer the processes that criminals would use to disrupt our lives and then we can begin to lockdown our devices, smart control devices, security cameras, vehicles and other IoT devices that if badly controlled are real threats to our business lives. The right approach is to spend time and money in designing security into these processes or tightly integrating it after the event.
Embrace a “Security First” Approach to Innovative Technologies
This step in the tech innovation procedure is vital. It is costly and more demanding on security staff to implement new innovations after they have been created, if they are not asked for advice and participation in projects from day one. If they ARE involved it makes the overall process much smoother with a much better chance of succeeding. A “security-first” mind-set usually pays dividends in the longer term.
Measuring the Costs to Business of a Breach is Very Difficult
The costs of a cyber breach are complex and far reaching. Needing to re-issue credit cards is just one example: fines, loss of brand value, loss of existing customers and loss of potential new customers is a serious amount of loss. If the worst happens the effects do not go away overnight. This is why prevention is so important and the need to invest in an overall cyber security process is crucial.
To Minimise Cyber Breach Risk – Visibility and Measurement are Key
Visibility and measurement of the environment we are protecting is crucial, if we do not have 100% visibility of the data, devices and people, then we need to quantify if there is for example 10% unknown risk that we have no control over currently. Measuring how big this “unknown” is helps us to put together a viable solution for discovery, mitigation and resolution of these unknown threats.
Once we work out how many of these risks are or can be protected to the standard we need, this then gives us an accurate picture of what work needs to be done to secure the network and the data.
Finding the Rogue Devices and Applications
Initially we need to find out what the rogue devices and applications are and where they are. It is common for these unknown threats (even machines) to be hidden by a DevOps engineer under a desk. If we don’t know what and where they are then we cannot protect them, or protect against them.
All application data must be passing out through the corporate firewall and thereby give the technology the ability to analyse what is going out through it. This traffic can be examined in detail and it will then be possible to work out a plan to lock it down.
Monitoring the firewall logs and analysing the data and how many apps are being used is a good place to start. With that information you then know what you are dealing with and whether data is secured/encrypted or not.
No matter what role you fulfil within the business, you can either assist with cyber security or you can hinder it. Taking the time to understand a little more will benefit your department, and the entire business you work in.
Careers can be enhanced or dramatically and negatively affected by this key business risk-management matter.
If you are interested in attending a cyber breach workshop, perhaps one tailored to your department and job role, then please message me for information on the regular workshops we run with one of our security experts, Phil Cracknell.
“Phil Cracknell is regarded as one of Europe’s leading information security experts. He has held several CISO roles spanning five different industry sectors.”
With over 28 years’ experience gained in a variety of high-profile technology and security management roles, he offers a unique insight to the world of information security, cyber-threats and risk management. He is a regular speaker at UK, Middle Eastern and European conferences.
As national publicity on the subject of ‘Wireless security’ peaked in 2002 Mr. Cracknell became somewhat of a cyber-security celebrity with appearances on Sky TV, BBC News and in national and industry press”.
(Source: The Daily Telegraph)Report this
We are also working with the BRIM Business Resilience International Management in assisting in their work with the CRC (Cyber Resilience Centres) that are in partnership with the UK police department.
Originally this blog was posted on my LinkedIn https://www.linkedin.com/pulse/importance-cyber-security-non-technical-executives-schooler/?published=t