Cyber Security 101 - Bob Hay
I never cease to be amazed. No seriously, I thought I had become accustomed and quite seasoned to hearing about the litany of cyber-security and personal data breach disasters. In particular those that happen to the large multi-national organisations. Billions of £’s are lost to cyber-criminals and even more billions wasted recovering and repairing in-effective cyber-security systems.
Yet now, as I take my information and cyber-security knowledge, gained over many years (fifty-one to be precise) to the Small and Medium size Business (SMB) sector, I am again being confronted with much the same old attitudes of “it will never happen to us.’ And of course, sadly there are those with the know-it-all view that actually says it all - actually they don’t. In fact, in a lot of cases these people very quickly demonstrate that they haven’t a clue. This is what still amazes me.
Let me give you an example of what I mean. Greater than 70% of people when asked the simple questions about cyber security measures respond with answers like this, “yes we have a Security Policy, and we’re well tooled up with firewalls and anti-malware and stuff like that, so we’re good thanks” However, when you dig a little deeper you discover that their security measures and really full of holes and would, quite frankly, offer up little resistance to the most un-sophisticated cyber-attacks.
Cyber security is not about installing the latest and greatest techno-wizardry. There are many organisational measures that need to be in-place, which are needed to under-pin the use of all the technical measures. And, before you even start to think about any of that, the most fundamental thing you need to understand is what it is you’re aiming to protect. What is the lowest common denominator in the world of cyber-security. Well it’s that thing called information.
It is the information that the cyber-criminals seek, which will give them access to the “crown jewels.” The crown jewels being the information that delivers the highest monetary value for them. So, for example, it could be databases of personal information including banking, debit and credit card details. It might be sensitive personal information that will provide leverage to blackmail, or intellectual property that they can sell on to competitors. It is therefore imperative that any strategy from deploying any organisational and technical controls (measures), onto your information systems, is based on a detailed understanding of the value of the information the business holds and uses.
That takes me neatly back to where I started. Metaphorically, I heard you all saying “no-one has 51 years of experience in cyber-security. Please note that I did mention information in that introductory sentence about my background experience. Yes I was working in the information security business long before computers began to take over. Even back then the introduction of all the latest and greatest technology gizmo’s (telex’s, fax machines and so on) did not change the fundamental job of the security consultant, which was then and still is now, advising clients on how to adequately protect their information.
At H2 Information Risk Management Consultants we pride ourselves on being able to show clients how to determine what organisational and technical controls need to be deployed to ensure the best security for their information systems.
We often remind our prospective clients of a quotation from Mr. Bruce Schneier – a renowned, American security guru. He made this simple, but very true statement;
“If you think technology can solve your security problems, you don’t understand the problems and moreover, you don’t understand the technology.”
There is no one-size-fits-all solution. Everybody’s cyber-security requirements, although on the surface they may look the same, they will in-fact be quite different. The secret to getting your systems secure, is based on the knowledge and understanding of the value of what you’re protecting, the range of threats and vulnerabilities around that information, which exist and the range of controls available to protect the information.
Knowing these things will enable you to make informed decisions about the Appropriateness, Affordability and Accreditability of the organisational and technical controls that are essential to protecting your business assets.