Getty Images/iStockphoto

Keep people at the centre of risk management, says consultant

In assessing the cyber risks to a business, security professionals should start with the people in an organisation and keep them at the centre in identifying and mitigating risk, says consultant

Information security is not typically top of mind for new business owners, says John Unsworth, director security, risk and intelligence, at security consultancy firm Revak.

“They are thinking about selling products and services, so we often find there is no one in charge of information security or compliance that has an understanding of the wider business risks,” he told the KuppingerCole Cyber Security Leadership Summit in Berlin.

However, Unsworth said that experience shows it is much more difficult to work retrospectively to get this done than it is to implement it at the outset so that it becomes part of business as usual.

From the perspective of an information security professional, the objectives of any company should be to protect the business, its employees and its customers from a variety of threats, while at the same time enabling the business to operate efficiently and effectively by embracing available technologies.

“The challenge is quite wide, but it is nothing new,” said Unsworth. “It is about ensuring data protection, preventing and managing data breaches and other cyber attacks, and balancing technical controls with human behaviours.

“In 20-odd years of working in policing, the criminal threats didn’t change, just the ease with which they could happen changed, and that is also true when it comes to cyber crime, in particular.”

Applying the problem-solving approach of police intelligence work in the business context, Unsworth said he recommends organisations to start with identifying the specific threats to the organisation. “It has to be specific to you – otherwise the scope is too broad and you take too much on,” he said.

“Next, assess your organisation’s vulnerabilities to those threats, then do something to manage the risk to your organisation, and finally be honest in tracking your activity to see how effective your actions are, which most people don’t like doing, but it is important to learn and improve, where necessary.”

As part of this process, Unsworth said businesses need to understand the scale and threat of cyber attacks. “Statistics help to put that in context, including the fact that around 50% of all crime reported in the UK is cyber-related, and one in 10 Britons are impacted by cyber crime each year,” he said.

“More importantly, 66% of big organisations in the UK and 45% of small businesses had security breaches in 2017. These are actual breaches, where cyber attacks are successful in getting through, but the real figure is probably much higher because not all businesses are willing to report breaches and not all organisations know when they have been breached.”

The threat is real and attacks are happening at scale, but Unsworth said it is important to note that the vast majority of breaches are not achieved using the most sophisticated attacks.

Read more about cyber risk

In fact, most breaches can be traced back to attackers taking advantage of poor internal processes or poor compliance with processes, he said.

“The biggest data protection issues are things like people losing laptops and USB sticks, because although best practice is mandated by company policy, nobody knows about it or complies with it because it has never been communicated properly to all employees.”

Unsworth recommends that organisation start at the bottom with things they have control over by such things as implementing a company culture where information security is high up on the list of objectives.

“They way to be successful is not to try and do everything at once, but tackle the challenge in small chunks to resolve all the issues one by one through a security programme designed to drive out behaviour such as losing laptops, losing USB sticks, sending emails to the wrong people and disclosing personal information to a third party,” he said.

Unsworth recommends an incremental approach to a compliance and security programme, starting with assessing current security posture and identifying key vulnerabilities, using something like the UK government-backed 10 steps to cyber security guidance.

“Not every company has to comply with every regulation, so look at what applies to you, and then look at security to see how they help each other, because they have got to work in parallel and collaboratively,” he said.

“Ask a series of simple questions, such as whether there is staff training, and every ‘no’ answer is a gap. And where the answer is ‘yes’, just check whether it is done well enough to meet the need. There is no need to make this more difficult or complicated.”

Remediation of vulnerabilities

The next stage is to carry out prioritised remediation of vulnerabilities alongside staff education, then looking at standards, starting with something like the UK’s Cyber Essentials Scheme.

“Cyber Essentials is good enough for most organisations, but others may need something more detailed, such as the Center for Internet security benchmarks or the ISO 27001 standard, but if cyber essentials is good enough, stick with it and do it well, rather than doing stuff that is not needed,” he said.

That said, Unsworth stressed that organisations should not forget or overlook the requirements of the the EU’s General Data Protection Regulation (GDPR) and anti-financial crime controls, where applicable.

“When you look at vulnerabilities, it is devices, people and practices, and it is therefore important to engage with everybody in the business by explaining the objective of assessing vulnerabilities, starting with the people who do the work to find out what practices are actually being followed,” he said.

“Inspire collective responsibility. Ask people their opinions on how things can be improved and put that to the bosses. Show them the reality of what needs to be addressed and how.”

Communicate the ‘why’

It is important to communicate the “why” to all relevant people in an organisation, said Unsworth, as well as maintain the focus on enabling business activities.

“Problem-solve and prioritise,” he said. “You can’t do everything at once and remember, it is about the people and doing simple things well.”

It is important not to confuse threat and vulnerability with risk, said Unsworth. “A threat without a vulnerability is not a risk,” he pointed out. “But they are equally important, and if you have both, then you have a risk that needs to be prioritised for action in terms of potential impact.”

Different businesses will have different priorities, depending on the nature of the business, said Unsworth. Some will be motivated by protecting clients, while for others it will be the cost of business disruption, preventing reputational damage or avoiding financial loss.

“You have got to find the factor that will help to drive change, focus on that, then track your activities, review them and report on the outcomes to assess whether you are making any difference and identify what is working and what needs to be improved,” he said.

“And remember, just because an organisation is compliant does not mean it is secure. It is about continuous improvement. It is always ongoing.”

Read more on IT risk management