pixel_dreams - Fotolia
The global WannaCry ransomware attack has highlighted that cyber attacks are not the responsibility of the chief information security officer (Ciso) but of the organisation and its leaders, who must actively gauge their IT dependence and invest in the risk treatment options that best match their business.
Stakeholders must now assess the short-term effects to profits or margins to pay for risk treatment and resilience, which are vital investments for the overall longevity and health of the organisation.
There is a misguided view that information risk is a technology problem to be managed by the information security and IT functions.
There are many extremely talented people and professionals working on the front lines of cyber and information security who consistently give of their best, not only day-to-day, but also in times of crisis. Their efforts should be applauded and recognised.
The challenge of securing organisations and societies goes beyond the resources of these professionals, their governments and the small pockets of deeply technical experts that analyse the threats. Everyone must respond to this growing threat.
The indiscriminate nature of the WannaCry attack demonstrates that every individual can be a target whatever their sector or organisation. Well-publicised breaches of shopping, email and other providers have given criminals easy access to current email addresses, often the gateway for attacks, including WannaCry.
Further, the sheer number and variety of systems used in any industry means that an attack will always be likely to succeed at some level. The presence of unsupported applications, operating systems and other software – often required for valid operational reasons – only raises the probability of success for an attacker.
Security education essential to business
Business leaders and boards, who currently struggle to assess and manage information security and cyber risk, must recognise that their organisations need to be more resilient. This means investing in both stopping attacks and the necessary redundancy to keep going.
All businesses, their customers and their employees rely on the information, systems and software that underpin the products, services and processes now driving our economy.
Information risk must be recognised as anything that contributes to undermining, interrupting or stopping operations.
In the current landscape, business must anticipate interruption from cyber attack and develop the ability to keep the lights on, customers served and essential activities going in the event of an incident, whether caused by malicious intent, accidental activity or force of nature.
Five areas to develop security
It is not enough to defend against attack – businesses must take a proactive approach to cyber security. This means it is necessary for cyber risks to be better understood and managed.
The following five areas of development can be pursued to begin the process:
- Work with information security professionals to look at information risk in the context of the business and the wider implications for customer service, public relations (PR) and reputation – and not just as a technical issue.
- Communicate the identified information risks from a business perspective – not necessarily financial – that expresses clearly the harm to a business should a malicious or accidental incident occur. The risk treatments that can be put in place given the resources, and the residual risk to the business, should be clearly stated and updated as the business changes.
- Establish a dialogue, grounded in the terminology of risk between business leaders, IT and information security. Business leaders should regularly and actively challenge IT and information security leaders on information risk and its business impacts – and not just accept that technology can solve the problem. This is a two-way street: as much as information security leaders can push this dialogue, business leaders must give the time to listen, comprehend and discuss these risks.
- Deepen business leaders’ understanding of risk – and information risk – as they relate to how technology is changing the way that the business operates, the business’s dependency on that technology and where these changes are leaving the business vulnerable. This is a governance responsibility to be aware of and managed, as is the case with all risk.
- Include cyber and information security into the design and development processes in your organisation. Security requirements should be a consideration from idea through to design, development, engineering, testing and production of any product or service built, produced or bought by the business. Designing, or specifying, security into products and services is cheaper than adding it on later, while addressing the proliferation of new vulnerabilities that arrive with the current pace of technical innovation.