The Importance of Business-orientated Information Assurance

Introduction

As part of the continuing development of our information security consultancy practice, I have recently read the latest cyber-security breaches survey from the UK Government which can be viewed at: 2017 Cyber-security Breaches Survey. As well as providing some excellent “take-aways” in the form of two-page briefings concerning different aspects of the survey the analysis in the report gave me pause for thought!

Considering the numerous cyber-attacks over recent years that have severely impacted numerous companies and public bodies globally, it is surprising that the survey highlighted, among many others, the following statistics:

80% of UK businesses do not provide cyber security training for staff

67% of UK businesses do not have formal policies on cyber security

35% of small businesses who consider cyber-security low or very low priority (39%) have suffered some form of cyber-attack involving data loss and/or financial consequences

On average small companies (<10staff) typically take at least 24hrs to recover from a breach

What struck me most however was a comment in the body of the report drawn from the qualitative analysis of face-to-face interviews. The interview team noted that a number of respondents had expressed the opinion that cyber-security was not a problem for non-specialists.

The comment was amplified with some interesting statistics about who companies train to respond to the information security threat. Significantly, there is a strong emphasis on both senior staff and information technologists with over 70% of respondent companies funding training for staff in these roles. By contrast 69% do not train non-specialist staff and, while there is an element of considering awareness rather than training, the following quote from a medium–sized business provides a disappointing insight:

“The only training staff require is, “don’t open emails when you don’t know who the source is, and don’t open attachments!”. There is a training need….. but the general user needs awareness”

The quote is disappointing because in a progressively digitally interconnected world the role of information security has moved from the domain of IT specialists into the fundamental operation of a business and this is particularly true in businesses where the BYOK (Bring Your Own Kit) philosophy holds sway. Consequently, each and every member of staff needs not just awareness but a degree of competence in identifying a much wider range of cyber-security threats and the absence of and training and development support to assist them presents a significant risk to company viability.

The Challenge

In the digital environment where a company can be subject to numerous attacks ranging from phishing emails to the introduction of malware, through DDOS (Distributed Denial of Service) on to ransom-ware, the challenge for cyber security is to ensure that protection is business-orientated i.e. not the domain of specialists but a natural part of daily operations.

A primary challenge is to ground any cyber-security advice and implementations in the way a business operates; you do not achieve this by adding a box of tricks covering essentials such as firewalls, secure data back-up, access restrictions and regular updates of software and firmware systems operated by a specialist IT department. Instead to ensure information assurance becomes a business fundamental a company must have all of those IT Infrastructure things listed as well as ensuring all staff are sufficiently well versed in the risks that identifying potential threats becomes instinctive.

An important adjunct to ensuring staff are alert to cyber-attack is clearly identifying who among a company’s directors is responsible for cyber-security and that the topic is reviewed at every board meeting. It is encouraging to note from the survey that 74% of senior managers say that cyber-security is a high priority however these good words contrast badly with the fact that only 11% of companies responding had a plan for reacting to a cyber-security incident. Sadly, the phrase “talk-the-talk but not walk-the-walk” springs to mind, and it is this “implementation” gap that represents the second of the principle challenges presented by the findings of the survey.

The third, and possibly the most damaging of the challenges the need for cyber-security, data protection and information assurance presents is the sense that it is somehow too technical to explain to the general staff population, this is particularly seen in the quote above in the introduction. Perceptions such as this and which are commonly promulgated by technical resources who have turned to cyber-security consultancy are completely unfounded.

Consider the car, 37.3 million cars were registered for use on the UK’s roads in 2016 (DVLA data) meaning that at least 37.3 million people understand the basic principles of driving a vehicle. Considerably fewer drivers will understand all the engineering and technology that is essential to the car’s function but almost every driver knows when something is going wrong with a car because they have an instinctive understanding of its operation.

At a more technical level, thanks in part to Hollywood and Ealing studios, many people understand that a radar can detect objects at a distance and this can present solutions to problems such as over-crowded flightpaths, aggressor incursions or at a more basic level safely landing after a holiday flight or a cruise. The understanding of radar’s utility however does not depend on having an in-depth understanding of the technology that allows the transmitted “wiggly amps” to be reflected and received giving an estimate of location.

Developing an instinctive sense of cyber-security, like driving a car or appreciating the function of a radar, does not depend on a comprehensive understanding of the technology. It does however need awareness building, specific training and comprehensive business structures, processes and systems.

A Better Way

It would seem therefore from the preceding that no-one can doubt the criticality of businesses having a structured and rigorous approach to cyber-security, data protection and information assurance. It is also apparent that any approach must be realistic, operate across the company and provide all reasonably practicable protection of company and customer information.

For many diverse reasons, cyber-security has been seen as a specialist responsibility and this idea has been regularly promoted by those supplying cyber-security consultancy in the interest of higher fee rates and the maintenance of a suite of arcane mysteries linked to information systems. It has also allowed senior management to speak highly of their commitment to protecting their own and their clients’ data while dispensing with the problem by arguing that its technical nature is beyond normal business operations.

In our view, there is an urgent need to reverse the telescope of cyber-security. Much has been done by programmes such as the Government Cyber Essentials and the activities of the IASME Consortium to focus on business but the principle of these schemes continue to be driven from the technical point-of-view rather than the business operations perspective.

It is our contention that an approach that starts by identifying and describing risks in the existing structures, processes and systems within a business before identifying the gaps against nominated standards and then taking action is the most cost-effective and pro-active approach to enhancing information security across a whole business. Our methods are illustrated above.

By pursuing this business-orientated approach to information assurance we feel that all of the principle challenges described can be addressed in a way that protects a business and their customers and suppliers from the risks posed by internal malcontents, external felons, unfulfilled vandals, economic terrorists and anti-business activists.