3 minute read
Defence in breadth rather than depth
By Kevin Else (pictured), director at Cyber Security Partners
You don’t need me to tell you that cyber-crime is a significant threat to businesses or that it’s an increasing part of all business crime. The problem is often defining the threat, where it’s coming from and not only how to prevent it, but how to capture the fact that it happened.
Information crime is not new. Competitors have always wanted to find out what your company is doing. Information has a value – whether the information is your customers’ names, details of your products or details of your contracts, there is a value both to your organisation and to others too.
We’ve also seen the availability of that information has a value to your organisation, with such crimes as ransomware, so even if the information isn’t released to competitors or the general public, a lack of information can have a serious effect on your bottom line.
DEFENDING AGAINST INFORMATION CRIME WITH TECHNOLOGY AND PEOPLE
The initial approach to information security has always been to build walls and levels of protection across the organisation to prevent leakage of information. The problem is, for you to do your business, you have to create holes in the walls. Otherwise the information is not available, so you can carry out your normal business functions.
Even monitoring the gaps in the walls doesn’t always prevent cyber-crime. Threats can come from inside the organisation, whether malicious or accidental. Breaches in the walls protecting the information can arise, so a much more holistic approach is required.
Technology is part of the answer and so are people. The day-to-day users of the information are the ones who will recognise an unusual pattern of events a lot more quickly than a piece of technology.
Getting your users onside as part of your monitoring is a key method of preventing information theft. By utilising your users as first-line monitoring and giving them a level of responsibility in surveillance, that information access provides you with an extremely powerful level of protection.
WHERE TO BEGIN
So how do you build a skill set within your employee users? Yes, there is awareness training, and reviewing the latest scam and spam techniques, but to truly have them focus on how your information is accessed as an organisation, you need to understand the value of the information that you hold.
You need to consider the business impact of either not having that information or it being released to someone who should not have access to it. There are multiple stages to be able to build this:
1. Understand the value of the information you hold. This is not the value to anyone outside of your organisation but the value of that information to your organisation. 2. Carry out a business impact assessment. What if the information is not available through a ransomware attack, or if only part of your information is available? 3. Define the threats and where they are coming from. That can be as simple as saying there are inside and outside threats. Then establish how likely those threats are so you can build appropriate mitigating controls. This can be both technical and non-technical, to help either prevent or, from a resilience point of view, define the process of how you recover from the information either becoming released or not being available to you. 4. Marry the business impact and the threat assessment together to highlight where your main risks are. 5. Finally, make sure your users are aware of those risks. This isn’t making them aware of general security risks but the specific risks to your organisation and its data. There is a place for general security awareness training, but unless you can directly relate it to your user’s day-to-day operations, it will not become part of their business as usual.
