Enemy At The Gates
Use your imagination – that is what it all comes down to. No, we don’t mean the code-coloured world of The Matrix, the skateboarding punks of Hackers or Sandra Bullock running in stilettos in The Net.
The kind of imagination we’re talking about requires reaching out into every corner, every nook and cranny of your business – every department, every one of your personnel, every access point for users and staff, every asset you have, your reputation – and imagining the worst thing that could happen to any and all of it. Because when it comes to cyber security, that is what’s at stake.
Expect the worst
What’s the worst that could happen? That’s the question that Craig Rosewarne, lead implementer and auditor at Wolfpack Information Risk, asks businesses. Rosewarne uses the example of an insurance company: if hackers gained access to its clients’ financial data, the reputational damage to the company would be enormous, let alone the potential issues for its clients.
“Work backwards from the worst-case scenario,” advises Rosewarne. Accurately envisioning this worst-case scenario involves identifying your critical assets – your crown jewels – and determining their risk and how they might be compromised. Prioritise from there: start by building a wall around your crown jewels. Then build another wall around that.
It’s not an IT issue
Okay, it is an information technology (IT) issue. But it’s also a human resources issue. It’s a financial issue. It’s a psychological issue. Above all, it’s a strategic issue.
“Cyber security is a core part of corporate governance, and you can’t get away with not addressing it,” says Professor Basie von Solms, director of the Centre for Cyber Security at the University of Johannesburg (UJ). He believes that we’ve reached the stage where, if we do not directly and proactively address the issue, it will amount to negligence on the part of the board – and if something goes wrong, they’re liable.
“If a decision is made by the board to allow suppliers access to their systems, or to expand business models by allowing customers to access systems via the internet, it’s not only a technical decision; it’s a board decision, because the potential risk to the company is immense,” says Von Solms. “We’ve already seen class actions taking place on the international front. Any company that has an online presence that allows customers to access their systems – whether to make reservations or do internet banking – faces a corporate governance issue when they are compromised. If the board can’t prove they’ve been proactive in terms of combating threats, they will suffer the consequences.”
Hail to the chief
So what does this mean? Well, for starters, it means that top executives are going to have to start talking to their chief information officer (CIO) more. On top of that, many companies are now employing a chief information security officer (CISO) whose responsibility it is to ensure information assets and technologies
are adequately protected.
“Any medium to large company needs to have a dedicated person, or a team, in place to deal with cyber security,” says Rosewarne. “You can outsource key components of the process, but it’s best to have at least one full-time person to orchestrate and work with the other areas of the business to address what needs to be done. You also need an accountable executive on this – normally the CFO or COO – to drive the whole process.”
Von Solms goes a step further, asserting that best practice dictates that the CIO, at least, should be on the board. “There’s a growing realisation that the CIO should be a member of the board,” he says. “If I were a board member, I would demand that this was the case, because if executives lack this kind of knowledge, they should have expertise on the board. I would see it as negligence if they don’t ensure they’ve got permanent cyber expertise on the board. In most cases, the CFO serves on the board for the same reason: to provide specific expertise.”
It’s not just about hiring people to watch your assets; they’ve got to have the right skills too.
But it’s more than that. Cyber-security skills need to become intrinsic to anyone working in a digitally connected business, from front-end development and sales, to inventory management, administration, and all the way to the top. With so many potential access points to any given organisation, employees across the entire spectrum need sufficient education and savvy.
“Every employer using a computer should be given a cyber-security course,” says Von Solms. “They need the skills to ensure their systems are protected. Then they need to ensure that their suppliers are secure too.”
Rosewarne believes the majority of South African companies are way behind in this regard. “There are some advanced companies in the financial services sector, but the majority are very immature – way behind where they should be. That includes government,” he says.
A training regime might include in-house training with the CIO and CISO, graduate programmes with third-party security firms or institutes like UJ’s Centre for Cyber Security. When it comes to protecting your information, it pays to be informed.
Protecting your company means approaching security actively; installing an antivirus and a firewall is no longer sufficient. Once you’ve identified your assets and vulnerabilities, you can go about modelling potential threats. Business threat intelligence effectively involves running counter intelligence – knowing your enemy is crucial.
However, engaging in threat intelligence is a decision that needs to come from the top. “It’s not a decision that can be made by even a CIO,” explains Von Solms. “It must come from the board because there may be legal implications in doing so. The board needs to decide: Are we going to take this approach? What are the consequences? What are the risks? What countermeasures will we put in place? Are we covered legally? It’s a multidisciplinary process. You need legal, social science, psychological and technical expertise.”
What to do
The thing that organisations need to realise is that when it comes to being hacked, it’s really a case of when, not if. “There are only two kinds of companies,” says Von Solms. “Those that have been hacked and know about it, and those that have been hacked and haven’t yet found out about it.”
With this in mind, having good incident-management in place is crucial. “If your preventative and detective controls fails, then responding quickly is your third line of defence,” says Rosewarne. “If that fails and you cannot stop the incident, then you go to your final line: your business continuity disaster recovery. This isn’t just an IT plan; it’s a business matter, but often it’s given to the IT department to sort out.”