Cybersecurity

Next Article

Wearables

The state of constant change

By Sarb Sembhi, CISM CTO and CISO,Virtually Informed Ltd., and James Willison MA, Founder,Unified Security Ltd.

In life the only constant is change. In 2020, that constant in the form of change became the largest single most obvious constant in both personal and business life. COVID-19 has changed most of the rules we took for granted. Humans are social animals, our whole way of life and work has been based on being social and getting more done together. So, when we could no longer leave our houses to go to work, go on holiday, go shopping, go to the pub, meet people, etc., we had to find new and alternative ways to accommodate that.

How we have survived could only really have been possible due to the technology of the day. If this pandemic had happened ten years ago, things would not have turned out the same as they have now. Binge watching streaming media and allowing children to play games in their rooms for longer periods of time are now no longer unacceptable. Just as sitting in front of a computer all day in conference calls is now a reality for most office-based workers. Throughout the new norm some trends have accelerated faster than others, here are three of the important ones: business priorities, cyber attacks, and enterprise security risk management (ESRM).

Business priorities When businesses realised that this pandemic was going to last more than a couple of weeks, it became more than apparent that they had to change their priorities. As people stopped going out to the shops, retailers had to come to them. As people stopped going out to work, businesses had to figure out how their employees could work from home. Since technology, the internet and online activities have become the dominant norm, the acceleration of digital transformation of all businesses has never been as fast as it has become for some businesses.

Whereas, previously many businesses were taking their time to get things right before moving their business processes online, now those businesses which did not change early enough have already suffered greater losses that cannot easily be made up.

The business priorities seem to be about a) longer term survival (cost cutting) due to the uncertainty of how long this pandemic could last, and b) transforming the businesses to cut operating costs while getting closer to the customer. These strategies are possible for some businesses but not all. However, other approaches to achieve the same objectives of longer-term survival as opposed to growth have included mergers and acquisitions.

Cyber attacks The trend of unprecedented increases in cyber attacks has been brought about due to the many new opportunities arising from artificial temporary mass shortages of basic food and sanitising items, as well as government aid to those affected by loss of income.

Attackers who may have had to attend to day jobs in the office have now been able to run their attacks while they work from home. And while there are more people working from home, attackers have been attacking with the knowledge that many targeted victims are less protected than they were when working from the corporate offices.

> Phishing scams are up astronomically to a point that several law enforcement bodies have issued advisories of all the different current scams. > Anti-malware vendors have reported the rise in mobile malware (compared to previous quarters), malware targeting IoT devices has also risen. > People left in a desperate position whether it is because they are lonely, have no money, or any other reason brought on by the pandemic.

Apart from the fact that attacks have been increasing, the number of attacks on IoT devices, Building Control Systems, and Industrial Controls Systems have been increasing significantly on a quarter by quarter basis. (As stated in a recent report1) This has led to some organisations utilising strategic approaches such as Enterprise Security Risk Management (ESRM) to respond to these all types of attacks.

ESRM ESRM brings all related teams together not just to provide a single view of risk, but also the necessary skills from across the organisation to provide a single response. ESRM has been gaining momentum driven partly by the realisation of the lack of cybersecurity skills of physical security professionals to be able to deal with the technology (devices, systems and system of systems) they are tasked with managing in their increasingly ‘connected’ buildings. For about twenty years, ASIS International, the leading security association for corporate security professionals, has championed ESRM recommending security teams work together on all areas of security risk and by so doing achieve organisational resilience. In their latest Security Awareness standard ASIS International and (ISC)2, a global cybersecurity association, state that security awareness is ‘part an ESRM program’.

They call for ‘one voice’ to simplify the message and conclude that there is a need to “Establish cross-functional security teams to identify cyber physical risk in the digital/smart environment”2 .

Some will continue to resist the pace of change but as the World Economic Forum states, “We must stop thinking in compartmentalised ways when making decisions – particularly as the challenges we face are increasingly interconnected... This will require collaborative and flexible structures that reflect the integration of various ecosystems and that take fully into account all stakeholders.” (The Fourth Industrial Revolution, K Schwab, p 112).

In closing All change brings some element of risk, and all those organisations which are effective at dealing with risk will be the ones to fare best in this age of change. Business risk may well be managed by the board and management, security risk is managed by the various security teams. Both physical and logical security teams have great experience and skills in managing risk on their own, but unless they work together there are great possibilities for criminals to overwhelm businesses with continuous attacks from all sides that it is very likely that at some point they will break in.

As the saying goes, the bad guys only have to be lucky just once to get in – those protecting their businesses have to be “lucky” all the time.

History and experience have shown that when we talk about luck in business, what we really mean is organised methodical preparedness by using tools like enterprise security risk management frameworks. Sarb Sembhi CISM Sarb is the CTO & CISO at Virtually Informed, and has previously been a CTO & CISO for the Noord Group. He has previously worked as a consultant covering most issues in risk and security. Sarb’s contributions to the industry include the London Chamber of Commerce and Industry Defence and Security Committee and its Cybersecurity working group. Other contributions include: Past President of the ISACA London Chapter, Chair of ISACA International GRA Region 3 SubCommittee, Chair of ISACA International GRA Committee, ISSA UK Advisory Group member, InfoSecurity Magazine Editorial Group member. Sarb has also served on several Security Standards Groups, and continues to write and speak at risk and security events around the world. Sarb was shortlisted in the IFSEC Global Most Influential people in Security & Fire 2017: Top 50 influencers in security & fire 2017: Cybersecurity - IFSEC Global | Security and Fire News and Resources: www.ifsecglobal.com/ global/top-50-influencers-securityfire-2017-cybersecurity/

James Willison, BA, MA, MSyl James Willison is a recognised international leader in Security Convergence and Enterprise Security Risk Management and founder of Unified Security Ltd. Named #8 Cyber Security Professional IFSEC Global Influencers Security and Fire 2020. Shortlisted in Security Serious Unsung Security Heroes Awards 2018 as a Security Leader/mentor. James is Co-Chair, Smart Buildings Working Group, Internet of Things Security Foundation, and a member of the ASIS International ESRM Steering Committee. James was awarded the Imbert Prize for an ‘outstanding contribution to the Security Industry in 2011’ for his work on convergence with ASIS Europe and the Information Security Awareness Forum. He has more than 20 years of management experience in the physical and information security industry, including posts as Advisor on Convergence to the Mitie TSM Board, Senior lecturer in Security Management at Loughborough University and Digital Security Expert with the European Union.