Part 1: Introduction CHAPTER 1: THE THREAT LANDSCAPE
We live in a world where technology and vast quantities of data play a considerable role in everyday life, personal and professional. For the foreseeable future (and perhaps beyond), their growth and prominence are showing no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to companies and individuals alike. However, these come at more than just a financial cost.
In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch.
The fact that technology is involved gives attackers a huge advantage over the defenders – not only can they attack anyone, anywhere, from the comfort of their home, they often have automated tools to identify their victims – and their vulnerabilities – for them. Moreover, from an attacker’s perspective, there is often a very good risk-to-reward ratio: for the victim, it can be hard enough to detect that the attack happened at all, never mind trace who was behind it. It is the very nature of the digital information that we are trying to protect that is easy to copy. In fact, stealing the information does not require removing it from its original location at all, meaning that the owner of that information may never realise that the theft happened.
Unfortunately for us, committing crimes over the Internet can also be very lucrative. Physical pickpocketing may earn a thief cash and credit cards (that will likely be blocked very quickly, and can probably only be used up to the contactless limit per transaction anyway), but digitally targeting someone gives them a chance to steal that person’s identity and get credit cards issued in the victim’s name. Upscale that, and a criminal might think about targeting businesses that hold databases with thousands or even millions of credit card details and personal information about their owners. Whether they then directly use that information for themselves or sell it on the dark web (where you can buy virtually anything, from drugs and organs to hacking software and stolen credentials), the profits are certainly far greater than those of a physical crime conducted in the same timescale and with the same manpower.
Because virtually every organisation holds valuable information, often in huge quantities (even if you are a small business), everyone is a target. More often than not, organisations cannot do business if they lose access to that information – making it one of their most important assets. At the same time, the fact that criminals can extract significant value from this information means that it is an asset to them too. There is good reason to refer to them as information ‘assets’ – by definition, someone else wants to get hold of them. Many a time, that ‘someone’ is a business partner who will go through the proper channels – but not everyone will take the legal route.
It should therefore not come as a surprise that 46% of UK businesses alone experienced at least one cyber attack or breach during 2019, which increased to as much as 75% for large businesses.1 Such attacks might range from simple phishing emails to complex, detailed operations masterminded by criminal gangs – although the trend over the past five years, according to the UK government’s 2020 Cyber Security Breaches Survey, is that cyber attacks are evolving and becoming more frequent2 – but even the simplest attack, if executed successfully, can wreak havoc if you are not prepared. Clearly, it is in your organisation’s best interests to protect itself. Although this might cost, it will certainly prove far cheaper than experiencing a breach and having to deal with the operational, financial and reputational damage that follows.
Yet, given the frequency of data breaches and cyber attacks in the press, many of them large-scale, you could be forgiven for thinking that it is impossible to defend your organisation against the predations of cyber attackers – after all, if massive multinationals cannot stay secure, what hope is there for small businesses?
The answer is: more than you think. Cyber security does not have to cost vast amounts of money or take years to implement, particularly if you take a strategic approach and aim for the lower-hanging fruit first. And it is a worthwhile investment: no matter the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening up new business opportunities.
1 UK Department for Digital, Culture, Media & Sport, “Cyber Security Breaches Survey 2020”, March 2020, https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020.
2 Ibid.
CHAPTER 2: INFORMATION AND CYBER SECURITY
The terms ‘information security’ and ‘cyber security’ are often used interchangeably, when in fact they refer to different (albeit related) things.
To start with the similarities, both information and cyber security are concerned with security on three fronts:
1.Confidentiality:
Information assets and systems should only be accessible to those who need access.
2.Integrity:
Information assets and systems should be protected from unauthorised modification, destruction and loss.
3.Availability:
Information assets and systems should be accessible to authorised persons as and when necessary.
Considering all three aspects of security (also referred to as ‘CIA’) means that you will not make the common mistake of only taking confidentiality into account. Clearly, restricting information on a need-to-know basis is a critical element of security, but that information is only useful if you know it is correct and you are able to access it when you need it.
There are, however, some important distinctions to draw between information and cyber security. The former considers all information held by an organisation, irrespective of whether that information is electronic or in hard copy format, whereas cyber security is a subset of information security, focusing specifically on protecting electronic information.
Even though cyber security may seem like the more obvious route for organisations to take, considering how our world is becoming increasingly digitalised, there will always be an element of physical security to consider, if only because you need to protect your hardware to be able to access your digital information. On top of the matter of availability, firewalls and anti-malware software cannot completely protect your devices if someone can just look over your shoulder at what you are doing or take the device altogether.
Part 3 of this book delves into the sort of measures you can take to protect your organisation from these risks.
CHAPTER 3: CYBER RESILIENCE
Unfortunately, even the most secure organisation can still fall victim to a cyber attack. To a large extent, it is simply a case of having the odds stacked against you: although you need to protect all your assets from all types of threat, an attacker requires only one weakness to get into your systems. On top of that, any security measure you put in place is only designed to stop a handful of threats – at most. That means that it is likely to be inherently ineffective against other kinds of threat.
It is important both to recognise these challenges and to not view them as insurmountable.
To understand why the former is so important, you only have to look at the past. History teaches us that if you assume that something cannot possibly go wrong, you may find it difficult, if not impossible, to remedy the situation if it goes wrong anyway. The Germans in World War II deemed the Enigma machine to be uncrackable, so never even considered the possibility that the British were intercepting and decrypting their messages. The RMS Titanic was deemed unsinkable, so only had 20 lifeboats with capacity for just over 1,000 people, when the ship itself had capacity for more than 3,000 individuals.
On the other hand, acknowledging that your security system may fail despite your best efforts enables you to pre-emptively consider how something might go wrong and what you can do to limit the damage in such a situation. In other words, thinking resiliently will enable you to recover from attack – even if rare, when one happens, the consequences can be crippling if you have not planned how you will respond.
Taking a defence-in-depth approach, where you have multiple layers of defence, each defending against a specific – and different – type of threat (this concept is discussed further in 12.12.8), is an excellent place to start. It is also vital that you do not limit your defences to preventive measures (see chapter 12), but also put detective measures (see chapter 13) in place – so you know when your preventive measures have failed – as well as responsive measures (see chapter 14), so you can move swiftly to contain the damage.
CHAPTER 4: REGULATORY AND CONTRACTUAL REQUIREMENTS
If the fact that your organisation needs to wade through a complex cyber threat landscape in order to compete in today’s digital world is in itself not a strong enough case to invest in cyber security and resilience, the added pressure from a global regulatory system that is beginning to catch up might be.
4.1 International data privacy laws
The introduction of the EU General Data Protection Regulation (GDPR) in 2016 – which was enforced two years later – marked a major milestone for data protection and privacy laws across the world. Most of us remember the flood of ‘we need your consent’ emails that arrived in our inboxes in the days leading up to and after the GDPR took effect,3 but those emails were only the tip of the iceberg.
The GDPR places a wide range of security and privacy obligations on organisations that process the data of EU residents a...