Cybersecurity blog Perry Timms

18

Aug

Now THAT’S what I call cybersecurity! By Perry Timms

18 08, 2020 Blog

The famous ‘Now…’ series of pop music compilations gave us a dose of the ‘hits’ of the day in a packaged format.

And that’s what we had on 7th August with an event hosted by Nowcomm’s excellent team of Richard, James and Kevin stewarded by cybersecurity expert and multi-nominated influencer Jane Frankland, with me, representing the non-technology industry view (and over a bit of a ropey digital connection it has to be said – thanks, Windows 10 device, I’ll stick to my Chrome OS Pixelbook next time).

Why was this event then referred to as the iconic pop-compilation series?

Because if you weren’t so sure about your state of cybersecurity excellence, there was plenty of food for thought on that in this Masterclass.

Like for example, the World Economic Forum has now identified that cybersecurity is one of the top five troubles affecting executive leaders.

Attacks of a technical nature account for the spend on cybersecurity in 2022 (predicted by Gartner) as £133,7 billion. And that 71% of all cyber-attacks are financially motivated with 25% due to espionage.

In order to combat such high-value loss and damage, this Masterclass focused on three key elements:  Culture; Technology; and Operations.

Where do we start?

With attacks so frequent – and coming from all across the globe – it is more important than ever to protect our business and personal dealings through digital channels and platforms. Attacks are more sophisticated using more tricks and hooks to play on the psychology of humans. As well as being able to buy attack kits on the Dark Web that can breach not only firewalls but also appear to come from trusted sources that we as human operators believe as legitimate and proceed to open compromised emails or saving files with embedded viruses or trojans.

Therefore, our people and processes can have a positive – or negative – effect on how vulnerable we are to attacks and how quickly we can contain and recover from any malware found in our digital infrastructure.

Playing the psychology card.

Fear and an under-analytical appreciation of our vulnerability can lead us to make decisions that impair our security. So, a more logical and calm way to deal with our preventative measures should see us in good stead both to avoid attacks and to quickly contain and recover from them.

For example, we leave clues about our vulnerability in many touch points across the web: Whether individuals are accessing corporate information through personal email addresses or subscribing to and logging on to systems where the data can be used in mischievous ways, these clues can provide hackers to see us as ideal targets as a vulnerable organisation to hold to ransom or to take down systems and impair operation.

Adopting an investment mindset.

What the masterclass revealed is the need for an appropriate frame of reference between risk and the cost of making yourself cyber-secure. The cost may seem like a big investment but the risk is in the resulting impacts of a major breach or attack, which can be 10 or 100 fold the cost of the investment.

What became clear was the need for the technologists, who operate as cybersecurity experts to ensure there is not only speedy implementation of new and relevant technological security tools, but that the entire area of cybersecurity is high on the agenda of business leaders. It must be spoken about across all business teams in a language that suits their understanding and operating world. 

The potential lack of comprehension of the need to be secure as individual transacting company services and a leader making company decisions is crucial.

Sharing the load.

Having cybersecurity Champions across the business, having practical and easily assimilated learning and development support, and an awareness of the nature of threats and attacks is a great start in securing your people and thereby your culture and operations working together to provide strongly supported security approaches and mechanisms.

An additional consideration is in the supply chain and partnerships of an organisation. More frequently the targets of cyber attacks are your hosting organisations who provide Cloud Services and data storage/retrieval systems. And then, of course, those in your supply chain who you share information records and details with you across digital platforms and connections.

A weakness in both of these partners can result in your own organisation being vulnerable and attacked despite you having robust systems for direct access to your customer/public interfaces.

Awareness and action to create rapid responses.

Staggeringly, cyber-attacks occur every 39 seconds and there is a lead time of 260 days before some breaches are identified. 62% of those attacks are as a result of negligent insiders. Perhaps operating poor passwords or device security, or being duped into providing access to malicious users or a disgruntled ex-employee out for revenge.

Cyber insurance is one option and indeed a growing industry in order to obtain good cyber insurance you will have to demonstrate that you have effective systems in all three areas of operations culture and technology. Yet cyber insurance nearly mitigates the damaged financial loss yet reputationally and indeed in servicing customers in the work your organisation is set to do with all still suffer in the event of poor cybersecurity systems that do not restrict the impacts of a cyber-attack.

Immediate actions Executives and Business Leaders can take.

Having confident and adept people is perhaps one of the most overlooked aspects of cybersecurity. so beyond the appropriate software are privileges and patches to update digital security our people also need to be updated informed and able to act swiftly in the event of a potential attack or breach. 

Gamification as a concept within learning gives us a chance to constantly address the proficiency and capability of our people in managing cybersecurity threats.

For example achieving proficiencies, badges or points when performing in simulations, contributing to threat modelling and security routines should be introduced; just as you would fire drills, evacuation processes and safety briefings in industrial settings like rigs and power-plants.

Of course, your technical architecture can also help. the Wannacry virus affected so many users in part, because of the flat nature of network architecture, that meant proliferation was fast.

The more complex and segmented your technical architecture can be, means it will literally act as fire doors to suppress flames.

Legacy technology and platforms can also prove to be your most vulnerable point. especially if the operating system is no longer supported by the provider and security patches are not automatically installed.

Many businesses are potentially in need of not only a security manual but also a security version of an MOT.

Practically you should be aware of all of your weaker points and potential threats, and the best way to start to secure your infrastructure is to tackle the threat that would have the biggest impact and work on that first.

Whilst you then can address in the future other less vulnerable but still weaker points of your infrastructure and address them through your culture, your operations and your technological lenses.

For example, simple elements like access to key areas of your technology infrastructure can be managed by layers of security privileges. multi-factor authentication on logins and the removal of old user accounts for ex-employees and contractors.

In summary

The 3 pillars of Culture, Operations and Technology need to be harmonised, regularised and on the minds of executives, business leaders, all employees and partners. To be vigilant, confident and adept about their part to play in creating a secure operating environment.

Who thought that a compilation album from the 1980s would present itself as the headline for a post on a more secure, and aware digitally secure way of being?

Download the Masterclass webinar here.

Perry Timms

MCIPD and FRSA

Chief Energy Officer – PTHR

4x Business School Adjunct Professor/Visiting Fellow

3x HR Most Influential Thinkers List

2x TEDx Speaker on the Future of Work

2x Published Author