There is a dawning suspicion among both the private sector and the public that even with the most advanced encryption the internet will never be sufficiently secure for the most sensitive data. The debacle over the San Bernardino shooter’s iPhone has shaken many I have spoken to who thought that technology could make them safe. Leaving aside the legal and ethical considerations (which the legal systems of the world will have to sort out by test cases in coming years) the question comes down to this: will there ever be a technology that cannot be unravelled by an intruder if the incentive is there? At present the answer seems to be: “No”.
Does this mean that sensitive data will have to be transmitted in other ways? Are we going to see the re-emergence of bank messengers and military despatch riders? Should we be buying shares in paper mills? Where does that leave the UK government’s “Digital by Default”? We have a client who reverted to paper-based operation until he could design and install a closed dedicated messaging system. Will this be the way forward? As banking becomes increasingly a digital business this might be the only way to reassure customers that their details, and their money, are being protected.
It is not too far-fetched to imagine a secure intranet being set up and managed, possibly by the Cyber-Innovation Centre at GCHQ, to allow UK businesses, banks and government to trade with each other in a closed environment outside the internet. However, where does that leave the man-on-the-street? There is an individual judgement to be made here: am I prepared to accept the level of risk involved for the convenience of transacting on-line? Having adequate insurance against losses moves the balance of the argument toward “yes”. We have to get used to the idea that there are no guarantees.
Since I began working on eBusiness in 1995 organisations have generally considered Cyber-security to be an ICT issue – “our IT department does all that” – and it is only within the past five years that it has begun to be recognised as a matter of corporate governance and the responsibility of everyone in the organisation from the C-suite down. Directors and senior managers take the lead, embedding best practice in the corporate standards and strategies and cascading those down to every employee. Cyber-security is now as important at the monthly sales figures for most businesses, even if many do not realise it. Showing customers that the business or other organisation is taking every reasonable measure to minimise the risk to them will help build confidence in the organisation and encourage customers to transact on-line.
I will close with an anecdote: a major City business carried out a redundancy exercise during the recession, eliminating a complete layer of management. One manager in the IT department was allowed to work his notice (generally considered to be a bad idea!) and one evening visited the eighth floor to check an equipment closet. As he passed the CEO’s office he noticed that the CEO‘s password was stuck to the screen on a sticky-note (incidentally the staff handbook listed this as a disciplinary offence). He sat down, logged on and emailed redundancy notices to the entire board, logged off and went home. The point of this story is that even if there were such a thing as wholly secure technology that fallible component called a human being will find ways to compromise it and that is why Cyber-security must be top-down and all-pervading.
TEST YOUR DISASTER PLAN
A couple of years ago a major business operating in the Midlands (no names!) engaged me to audit their disaster recovery plans and to run a live exercise to test their resilience. Their plan was professional and comprehensive. Not surprisingly because they had a first class systems team working on it. Their ICT department and datacentre were housed in their headquarters building and they backed up their data to a warm backup site. They even tested the time it took for the backup site to get online. Real textbook stuff. With one weak point.
The headquarters building was under the flight path of an international airport so the exercise involved an airliner crashing, on and obliterating, the headquarters building. How quickly could their operations get back on line?
On the morning of the test the dialogue with the IT manager (let’s call him “Gerry”) went like this:
ME: “at 0849 this morning an Airbus 320 impacted with this building completely destroying it and killing or incapacitating everyone inside. What is the next step?”
GERRY: “I phone the backup centre and authorise them to activate the suite”
ME: “and how are you going to do that?”
GERRY: “by phone. I will use my mobile. I have them on speed dial”
ME: “what time did you get to the office today?”
ME: “So what does that make you?”
GERRY: “Oh … dead!”
Only one error but it kippered the entire plan and it was discovered because they were thorough and professional and ran an exercise. Most organisations never test their plan …
I was working in software development in the days when we still thought that Windows 2.01 was a big step forward. In those days developers spoke slightingly about “scope creep”, requirements changing and growing after they had been signed off. The favourite response to this was to “freeze the specification” i.e. no changes at all, “what you signed for is what we will deliver”. Given that there were likely to be changes in management, market forces, legislation, standards, technology, business direction and objectives for the system during the time it took to develop it this was an excellent way to ensure that the users did not get what they needed from the system.
Thank whichever god looks after hapless developers for coming up with Agile. I was working with agile (small “a”) back in 2000 in a project-based organization (construction company). Construction projects are intrinsically “waterfall” (you cannot iterate the requirements for an office block or shopping mall once you have started building it); however, most projects had an IT element and we also worked on the company’s own systems (including contractor management and on-line drawing sharing) so there we were able to work with the users and other stakeholders using what today we call “user stories” (“storyboards” back then). Implementing DSDM helped a lot and even though public sector and PFI projects had to be delivered using PRINCE2 we were able to blend PRINCE2:DSDM in a mix that satisfied the DfT, MoD, NHS and NAO.
In spite of some prominent hold-outs Agile is much easier to implement today, particularly under the Government Digital Agenda. What is less encouraging is the number of organisations that think that they are “agile”:
ME: “In what way are you ‘agile’”?
THEM: “We use SCRUM for software development”
ME: “How about agile succession planning”?
THEM: “Erm …”
I think it will be a few years yet before we have universal understanding (and acceptance) of the Agile Organisation but it is going in the right direction.
With the threat of a successful cyber-attack is becoming ever more likely (firewalls bounce back thousands of attempts a day, even for a small company) cyber insurance may become a basic cost of doing business. Awareness is growing because some well-known companies have admitted that they have been attacked, although the great majority of victims do not report an attack because they want to avoid reputational damage and do not want to encourage further attacks. Even so only 20% are protected by cyber-insurance. This is going to change with industry pundits predicting that it will become a ‘must have’ for businesses.
Insurance is not a defence against cyber-attacks and there is a danger that it may encourage complacency; however, IT service companies and cloud providers are tipped to start providing cyber-insurance as a standard part of their offering. Even so reputational damage is a hard thing to quantify yet might have a far greater impact on an organization than any monetary loss. As it cannot be quantified it may not be covered in a policy.
A UK government survey in 2015 reported that attackers had breached 90% of large corporations and 74% of SMEs at an estimated cost of £1.5m-£3m for the larger targets and £75k to £300k for SMEs. To cope with the aftermath of these breaches a single policy cyber-insurance market now offers both first-party and third-party protection. The challenge to insurers is to come up with a policy that provides adequate cover at an affordable price, not easy when it is impossible to predict third-party consequential loss.
If you have home insurance but leave your front door open when you go out for the night your insurer is likely to decline to pay out on the policy when you are burgled. Similarly, insurers expect businesses to take adequate measures to protect themselves against cyber-crime (making all staff cyber-aware, alerting them to scams, implementing basic security practices, providing adequate firewalls, warnings on using public WiFi and so on). Increasingly businesses will need cyber-insurance to reassure their customers and it may become a requirement of doing business with public bodies.
There is scope here for consultants to go into businesses and audit their cyber-awareness and the adequacy of their protection with the incentive of lower rates if audited satisfactorily. Insurers and their brokers may offer this service themselves to get the right cover for their clients at the best price.
Business resilience projects have taken on a new dimension.
Moving corporate data off-site to a cloud provider can make good sense; it will have levels of security, resilience and availability that it would not get in a local server room and at a lower cost. However, talking to a colleague yesterday reminded me that I have often spoken to businesses that do not know where their data is held. At least their IT department might know but the C-suite decision makers answer the question with: “It is in the cloud”. Asked to define the cloud many are surprised when they realise that cloud storage just means putting your data on somebody else’s server or servers.
Where those servers are physically sited can be an issue. I remember one CEO who threw a wobbler when he learned that his precious data was sitting in a datacentre in China. That was an extreme reaction but if you are possibly going to have your data stored on multiple sites in different countries and backed up elsewhere then you need to know where those locations are and to satisfy yourself that you are happy with the risk strategies, insurance and legal safeguards in place at these locations.
When working as a systems or solution architect among the questions I ask clients are: “Is your cloud provider reliable and trustworthy?” “Have you looked into their track record, size, stability?” “What insurance have they got in place?” “Has the provider been hacked or otherwise compromised?” (They will provide levels of security and resilience beyond the resources of most local datacentres but they are not invulnerable). “Can they provide 24/7 cover and support?” (If your business operates over the weekend you do not want your operating data stored with an organisation that goes home at five on Fridays).
There is a danger, too, in excessive reliance on a single supplier. Once your data is embedded with the supplier the cost and inconvenience of moving it to another supplier can make it impractical or you might end up running in parallel with two suppliers for a time. Some organisations get round this by having a primary cloud provider and a deep storage supplier.
If we accept that an organisation’s data is its most valuable resource then handing it over to another organisation should only be done after a good deal of due diligence, investigation, visits to the datacentre, talking to other customers of the provider, the entire process. It might also be worth calling in a consultancy to review or design your cloud storage. A little extra up-front cost but a lot of extra peace of mind.
Talking to a cybercrime specialist from Barclays yesterday I learned that 72% of their business customers had reported receiving bogus invoices by email. No surprise there; many businesses I have spoken to have received them and there were two in my own inbox when I got in to the office today. What did surprise me was the number of businesses (Most were SMEs, but not all were) that actually paid these invoices!
I am using this to underline the lesson that the weakest part of any system, and the part targeted by cyber-criminals in 90% of attacks, is a human operator. Which goes to show why human interaction with technology needs to be made failsafe and why cybercrime is becoming less a technical issue and largely a human problem.
It seemed incredible that someone would pay an invoice without checking that it was owed until I remembered a scam that happened in New York a few years ago. A likely lad put an ad in the New York Times. It read: “This is the last day to send in your $10. Box xxxxxxx”. Just that. He had pocketed $30,000 before the NYPD caught up with him.
There is an increasing need for education at all levels to help businesses to protect themselves particularly from social engineering attacks (bogus invoices, fake legal fees), staff negligence (password taped to laptop screen, failure to follow secure procedures) or malicious insider attacks. A major element of advice in our resilience and assurance projects is to “educate your staff”.