A cyber-security practitioner gave an excellent presentation recently at a networking event. He ended by giving five very practical recommendations. All were technical. They covered authentication, passphrases and other features that assumed that the threat was from outside the system.
This assumption is dominating current information technology thinking. This bad cyber security assumption threatens firms.
Definitions of ‘cyber security’ vary along a common theme. That theme involves data and crime. One definition suggests that cyber security is the state where the firm is adequately protected against the criminal or other unauthorised use of its electronic data. The definition is sometimes also extended to describe the measures needed to achieve this protected state.
To understand why that excellent presentation was limited, we need to understand the threat environment and the process involved in getting protection. We need to understand the cyber system that hosts our data and how criminals might gain access.
Nature of a Cyber System
A system typically comprises a store containing data, a program that processes that data and a means by which human users access the data and enable the processing. This architecture is almost universal and serves as a model for most scenarios. It’s the same regardless of where the system components are located (locally or in the Cloud). And the system has a boundary – the legitimate user is within the system and all others are on the outside.
The fundamental problem with the presentation from the cyber security practitioner was that he assumed universally that the threat to the data came from outside. For a complete understanding – for a complete protection - we can make no such assumption.
Cyber attacks involve, by the above definition of cyber security, penetration of the system’s defences and access to the data within. This gives us likely threats against the system and their associated outcomes. And these threats can come from anywhere.
Cost of Loss
Theft of the data is in itself not material. It’s the fact that the data can then be used in criminal activity. Firstly the data can be used to steal directly from those whose data has been accessed. Secondly the data may include intellectual property and trade secrets that are then sold to others. The single biggest effect of a cyber attack is, however, loss of reputation of the system owner. Reputation is easily destroyed when the system owner has to write to all those with data in the store advising them of his (and their) loss. Loss of reputation kills businesses.
The threat comes both from people on the outside penetrating the system boundary and from people already on the inside. Those on the inside might be legitimate users or colleagues of legitimate users. Either way, they’re ‘inside’. And those inside can carry out an attack or deliberately or inadvertently provide access to those outside.
Arguably, the threat from inside is likely to create a much higher risk.
This wider definition allows for deliberate and inadvertent events by people inside and outside the system. Either way “the criminal or other unauthorised use of (the firm’s) electronic data” has been enabled. Cyber security is indeed about tech – and the use of tech countermeasures to block an attack from the outside. But cyber security is also about the use of controls against those on the inside who might mount or enable an attack.
Approach to Cyber Security
So how does a firm proceed, given that cyber security is not all about tech and not all about bad guys on the outside? For an answer, all firms should turn to the teachings in the international standard for information (or cyber) security, ISO27001.
Before we can discuss approaches, we must understand the nature of the data. Data that we might wish to guard is known as an information asset.
Once assets are identified, the risks to those assets can be predicted from knowledge about typical behavior of people both outside and inside. This is done by scoring the chance of a successful attack and multiplying this by the resulting loss. Since many risks will score low, management will need to determine a score above which they will act to protect.
With all this identified, the system owner can now set about implementing controls to prevent a successful attack and subsequent loss.
Controls Counter Threat
Now we see the importance of acknowledging that the people mounting the attack can be outside or inside or both. Employees and contractors can load data to a portable store and carry it to the outside. Employees and contractors can inadvertently or deliberately click on a link in an email that enables a path from outside to inside, thereby avoiding the system’s defences. And of course, someone on the outside can attack and defeat the system defences.
So what controls are needed?
Here’s a list of likely controls focused on staff and contractors within the system.
- Use the principles of ‘need to know’ and access partitioning – internally, only give employees and contractors access to the specific data sets they need for their work. If an employee or contractor does not need access to a data set, don’t give it.
- Remember that your IT staff may also inadvertently or deliberately mount or enable an attack. Your IT staff are not above reproach. Have IT staff set up systems and then control their access once the system is in use. For the most part, they don’t ‘need to know’.
- Ensure robust contracts of employment for employees and sole trader contracts for contractors – express information security in policies and procedures and ensure that all are aware of their obligations of security.
- Train employees and contractors in threats, risks and controls and also in the forms of cyber attack likely. Train them in how to spot irregular activity in others. Employees have vested interests in ensuring that their colleagues assure security so engender a culture where employees can let managers know if they suspect foul play.
- Clearly define cyber security responsibilities in jobs like project managers and line management in general and empower those managers to act to implement the necessary controls.
- Ensure that there is adequate management oversight. This does not mean that managers should sit on peoples’ shoulders. Managers should be ensure that they are aware of which staff have access to what data. Management should then pay attention to the findings of audits as a trigger for further investigation.
- Ensure that management is continually looking out for irregular activity in people, systems and data. This does not mean that managers should monitor staff and contractor email and data use. Routine monitoring breaches trust and may breach employee rights.
- Whenever there is a suspected breach of cyber security procedures, managers must carry out a thorough investigation using established HR management procedures. Any action on any member of staff or contractor must be based on evidence.
Once controls are in place, internal audit by colleagues can assure management that those controls are effective. There is a place for independent auditors but their use in first line checks engenders feelings that staff are being monitored. Use external auditors to audit the work of internal auditors.
Bad Cyber Security Assumption Threatens Firms
Today many cyber security practitioners go to great lengths to describe attacks likely on the firm. They discuss viruses, Trojans and worms showing how such malware can be introduced to attack data from outside the system. They show how brute force and other more sophisticated methods can be used to learn users’ pass-phrases, thereby gaining entry from outside. And they illustrate how phishing, pharming and man-in-the-middle methods can be used to fool or socially engineer users to take action which attackers want. Such methods are often used to ‘invite’ attackers from the outside to gain legitimate access.
But to assume that the system is only under threat from outside is wrong. This bad cyber security assumption threatens firms.
Undoubtedly, attacks from the outside are growing. But employees and contractors remain the biggest risk – through deliberate or inadvertent action. Managers must remember that cyber security is not all tech. It’s people too.