Brief Personal Statement
Gavin E L Hall (www.gavinelhall.com) recently completed an MA in Terrorism, International Crime & Global Security with a specialisation on Cyber Security and wrote a dissertation entitled “Does the United Kingdom’s Cyber Security Strategy Represent a Missed Opportunity?” (http://gavinelhall.com/Documents/UKCSS.pdf) and is seeking to develop conceptual understandings of the cyber-environment as a PhD candidate. He operates as a consultant on a range of Security Issues and offers bespoke analysis of corporate information risk management and security (http://gavinelhall.com/2.html).
In 2011 the UK launched a Cyber Security Strategy with four core objectives. A detailed analysis of the arguments about how effective this has been can be found in my dissertation. My aim for this article is to translate the analysis into enhancing corporate understanding that will have relevance for business of all sizes in dealing with what is commonly termed the “Cyber-Threat”.
The threat to business is actually twofold. Firstly, their is a threat that originates from information management and, secondly, from crime that has some basis within the cyber-environment. I specifically don’t use the phrase Cyber-Crime as at the moment it has no actual meaning, as what does, or doesn’t, constitute has not been defined and the process is wholly subjective. For example, in the article Defeating the Cyber Criminal (http://www.mytrade.tv/2014/02/14/defeating-cyber-criminal/) the use of CryptoLocker is highlighted. Is this extortion or is this a cyber-crime?
Cyber-security has traditionally utilised the Information technology CIA (Confidentiality, Integrity, Availability) model for identifying cyber-threats and developing strategies for business to secure its hardware and data. Confidentiality is concerned with preventing the disclosure of information to unauthorised individuals or systems. Integrity concerns the actual data that a company holds on its databases or transmits maintaining its accuracy and consistency. Availability means that the system, or information, is available when needed. An intrusion, such as CryptoLocker, makes use of one of these threat vectors to target a weakness in a system. In the case of CryptoLocker then it should be apparent that this is a threat to availability as if no action is taken the after x amount of time then information relevant to the business to continue operating is not available.
This is the traditional debate that is put forward and the one that most people will be familiar with. If you are a manager, some-one with budget responsibility or a CEO then you are probably familiar with these arguments for funding from your IT departments and also nervous about the emptying of the company bank balance to pay for the latest superb-solution that will prevent these threats from reaching your company.
There is a cheaper and much more effective option. One that the UK government put into the Cyber Security Strategy as Objective #4 “The UK to have the cross-cutting knowledge, skills and capabilities to underpin all our cyber security objectives”. In short improve education in relation to threats from the cyber-environment.
For a business of any size this can be conceptualised as The Human Firewall.
The Human Firewall clearly identifies that ultimately we as humans are the first and last line of defence in protecting company systems and information. I would advise people to look at the yearly Verizon Data Breach Reports (http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf) Executive Summaries the supply easy to understand figures that continually emphasis that over 80% of all cyber-intrusions globally could be prevented by good computer hygiene and minimal spending.
In practice this means that as a business you should ensure:
– The latest software updates for your system are installed and regularly checked to see that are installed on all computers. In your organisation who has responsibility for this? Is it the IT department, the individual, or do you sub-contract to a 3rd party (If so how to you monitor that they are doing what they say?)
– Do not open emails with spurious attachments, especially files that end in .exe and .zip with caution also for opening .pdf files.
Notice that the above two statements have a negligible actual cost but ensuring their proper implementation will negate almost all cyber-intrusion in your business. At the start of this article I highlighted a twofold threat. So far we have largely focused on the second element of the threat. It is now time to consider information management.
In the light of realising that we as humans are the most important element in ensuring the Cyber-security of our business the concept of The Human Firewall can be taken a stage further as we consider how information is managed. There are two strands to this as the threat is both internal and external so it is important to consider what an outsider could have access to but what information is available to employees.
I would strongly urge all decision-makers to familiarise themselves with the structure that their business utilises for managing information as opposed to just leaving it the IT department as in the words of a recent House of Commons Select Committee on E-Crime,
“The only sure way to protect your data [information] is not to collect [store] it in the first place”