At its most basic, cyber security is about protecting people from cyber crime. Whether it is government, business, organisations or individuals, it is still about people. Cyber security is about understanding the different types of cyber crime, who criminals are targeting and how they intend to profit from a crime, either financially or emotionally.
Understanding the nature of risk is crucial. Knowing what the risks are allows someone to evaluate them, and decide what is the best way they can protect themselves. Even the best levels of protection can sometimes go wrong, and if they do, cyber security becomes about how to survive the crime that has been inflicted on them, and what they can do afterwards to recover.
Cyber security is often written about in a very technical way. Part of this is because the infrastructure related to cyber security is usually about networks and software, the installation and upkeep of which does necessitate a number of quite specialist computer-related skills.
This can sometimes be a bit misleading, as cyber security is a much broader and wider field involving the four areas listed below of risk, protection, survival and recovery. Any job in cyber security really needs an understanding of these areas in order to maximize their own effectiveness.
A good illustration of this is the Equifax data breach of 2017.
In 2017, Equifax announced a data breach of approximately 148 million Americans, nearly half of the population of the United States, and 56% of American adults. A huge amount of detailed financial data on individuals that was used to create their credit scores had been stolen.
It subsequently came to light that there were two main reasons for the breach. Firstly Equfax were aware of a patch that needed to be applied to all of their Apache servers, but failed to apply it to one that was an in-house system developed in the 1970s, allowing the criminals access.
Secondly, there were numerous, approximately 300, security certificates that they had not renewed. One of these was crucial to monitoring network traffic, and had not been renewed for a period of about 19 months. The attack on Equifax went on for approximately 76 days, and went largely unnoticed because this certificate had not been renewed.
(Source and Reference – US House of Representatives Report)
There are numerous elements within the Equifax data breach which demonstrate the issues around cyber security.
A detailed and ongoing risk analysis is an absolute first priority to any cyber security process. Understanding where the risks are, and what the vulnerabilities are allows for an intelligent discussion about how best to minimise risk, and how to protect against any remaining level of risk. It allows for a debate about what level of risk is acceptable, and in what areas.
Many people will use specific risk modelling systems, some people will go for simply a gut instinct, and others will use a combination of both. What is really important is that risk is identified, so that appropriate action can be taken. It has to be remembered that risk is neither a good or bad thing in itself, it is how it is managed that matters.
Once risk has been identified, and in what areas, then effective protective measures can be put in place. These can relate to system issues around networks and software, upgrades, patches etc and also to human behaviour and action.
IT systems can become incredibly complex, as Equifax’s did, not because they need to be but simply because of a lack of oversight can lead to any system growing out of control. A good level of network and software protection makes sure that systems work with each other, and are as simple as they can be, and that only people who need to have access can have it.
Human behaviour can have a massive impact on cyber security. Simple things like clicking on links in e-mails, changing passwords, being able to access different levels of information, appropriate levels of training, to staff wanting to maliciously damage an organisation or business.
There are a number of simple things that any organisation can do to help minimise the risk of human behaviour, inadvertently or deliberately, affecting cyber security protection.
If a data breach of any sort does occur, or any type of cyber crime takes place, then it is crucial that people in the organisation or business can get through it, and come out the other side. It can be a harrowing time but the immediate threat has to be dealt with.
There needs to be a plan in place as part of a cyber security policy for people either within the business or organisation, or for an external agency to take over and manage the immediate crisis and find a way through it.
This part of the policy needs to be identified in a very detailed and thorough manner, and the people involved need to be very clear about what their role is, what their responsibilities are, and what they need to do.
Most types of data breach and cyber crime are time sensitive. Any business or organisation needs to be able to respond with a degree of urgency and immediacy, either to stop the breach contimuing, or to deal with any type of ransomeware demand, which is normally very time specific.
This means that there has to be a plan in place at the outset, that can kick in immediately if needed.
Once the immediate threat has been dealt with, however long it takes, there is also an urgent need to recover and move forward. Often the most pressing problem is to find out how the breach occurred, and make sure corrective steps are taken so that it cannot happen again.
Depending upon the nature of the crime, there are going to be a significant number of people who need to be notified that it has taken place. This can include a number of statutory bodies, staff, customers, clients etc.
There is normally a tendency to secrecy around data breaches and crimes, which to an extent is understandable, but this should be avoided wherever possible and must never be allowed to block notifications to people who have been affected.
For many companies and businesses, there is likely to be an issue around reputational damage and trust, which may have an impact on their willingness to notify people. In reality, any hesitation in telling people the truth is likely to do much more damage to their reputations than if they are open and upfront about what has happened and why.