IT professionals know that cyber security threats become more plentiful and sophisticated every year, and there is no reason for that trend to change.
But there is no need to despair – with a calm head and using current IT capabilities properly, you can keep the risks to your organisation acceptably low and protect your most valuable information.
Even the most cautious analyst will admit that the threat is serious. The most powerful hacker groups can effectively hoover up information at will. One Far Eastern gang in 2012 compromised dozens of organisations at a time, including US newspapers, a Canadian law firm, an Indian tobacco conglomerate and the European Commission.
Recent developments include drive-by malware, which downloads itself without the victim having to take action, and a rise in the personalised targeting of users to disclose information. Moreover, the old problem of rogue insiders has not gone away, and may even worsen as austerity bites.
Even though technical defences are improving, as is public awareness, it seems clear the bad guys will always have the initiative.
By understanding the threats to your business specifically, you put the problem into perspective and make it manageable
Mark Stollery, PA Consulting
Focus on what matters to you
The good news is that this gloomy picture, while accurate, can be misleading, because not every threat applies to every organisation. Attackers have many different aims, tools and levels of determination.
Foreign governments target particular business sectors (typically high-tech, defence and energy); business competitors seek intellectual property and strategic plans; activists want to disrupt an organisation or steal information for propaganda purposes. Criminals have various aims designed to make money.
But not all of these threats apply to you. Are you a lawnmower manufacturer? Then you needn’t fret about the mighty hacker battalions of a foreign state. By understanding the threats to your business specifically, you put the problem into perspective and make it manageable.
The starting point for any organisation is to understand what information it needs to protect. Too few businesses do this. That means working out what truly drives your particular business – and understanding that could mean looking beyond the balance sheet, as the raw figures may miss what is truly valuable to you.
A pharmaceutical company, for example, needs to protect the unpatented bright ideas of its scientists; a law firm needs to safeguard its clients’ information; most international companies need to protect their strategic expansion plans.
Having identified the corporate "crown jewels", see where they are held and who has access to them. This is tricky – because of the ease of sharing, copying and transmitting information electronically – but it is essential. If you do not know where your information is, you have, by definition, lost control over it. The cloud and the growing use of bring your own device (BYOD) add further complications in this respect.
All three aspects are vital: the identification of your "crown jewels", their location, and who has access to them. You need all of that information to protect them properly.
Sweat the small stuff
The best weapon in your armoury remains good information security hygiene. The NAO report estimated that this can prevent 80% of current attacks, and many IT experts put the figure even higher. There are some key elements to this:
- Patch, patch and patch again. The Computer Emergency Response Team at Carnegie Mellon University estimates that patching would stop 95% of all network intrusions. Only a few browsers auto-patch. Recent studies by Qualys and Duo Security report high levels of unpatched software in Android devices (50%), Java (40%), Adobe Reader (32%) and Apple Quicktime (25%).
- Manage your network boundary. What devices are connected, what ports are needlessly open, where could unauthorised USB drives be used? Penetration testing could help.
- Actively manage access and permission levels. Manage passwords. GCHQ reported that the most common passwords in 2012 were "password", "123456" and "12345678". System-generated passwords solve the problem.
- Consider whitelists or blacklists for external traffic. The usefulness will vary from organisation to organisation.
- Monitor network activity proactively. Is anyone accessing areas they should not? Are large amounts of data being sent out for no clear reason? Have access permissions changed?
More on information security
Cyber security is about humans, not just IT
Computers do not make mistakes by themselves, so employees remain your biggest potential vulnerability. But they are also your strongest defence, if briefed properly.
The key is to have sensible policies and procedures, so that staff do not need to find workarounds; to design out as many potential problems as you can; and to train people about the few remaining vulnerabilities, so that they avoid falling into the traps. They should be receptive to good briefing, as it helps them protect their own personal information, as well as the organisation’s.
Good cyber security requires sound management as much as rules and software solutions. It also requires genuine and active support from the top of the organisation, because it is a critical business issue and not just "an IT thing".
To stay secure an organisation needs a joined-up approach between IT, personnel, legal, operations and many other disciplines. The UK government has published some free guidance for businesses on how to achieve this. This is part of a programme called HoMER (Holistic Management of Employee Risk).
These measures may sound like common sense, but it is astonishing how many organisations ignore them. If you understand the threat facing your organisation, you can mobilise your IT systems and colleagues to build a powerful shield, which will defeat all but the most expert and determined adversary.
Mark Stollery is a cyber security expert at PA Consulting Group
This was first published in March 2013