Home >Cultural change

Cultural change

14 October 2019

There will be a huge increase in connected devices so it's more important than ever to ensure that you have effective security, says Philip Ingram MBE, who recognises that culture and leadership play their part.

CONNECTIVIY, CONNECTED devices, network enabled, gone are the days when these terms were not in the lexicon of every security professional. They should be added to by digital footprint, digital exposure, digital vulnerability, the digital battle, messaging, encryption and even fake news, but that is a whole other article.

As connectivity increases, and boy is it increasing, Gartner estimates that more than 25 billion connected devices will be utilised by 2020 in the revolution that is referred to as the Internet of Things, does this really pose a threat? Is this not something that is dealt with by the cyber security geeks, why should we worry?

When I look at the digital world, I see it no differently to that of the physical world, it is just a different domain and for the life of me I have difficulty understanding why people behave so differently in the digital than physical world. 

An action that is seen as a cyber incident starts in the physical world with someone clicking something with their finger, their digit, whether that something is sent, launching a malicious cyber-attack, or on a link sent from an account you think you know or something else. It all starts with a digit physically clicking a physical device. It is that one of ten digits, used to click things, that is the most vulnerable piece of the ‘digit’al threat landscape. 

The effect is then seen in the physical world, the panic when a bank account is emptied by criminals, the panic is physical. The effect when a hospital patient can’t get a diagnostic test because a virus has encrypted the control mechanisms, a physical effect. It is merely the transmission route that is digital. 

Like anything in the physical world, you lock your valuables in appropriate containers, you restrict the access people have to certain areas for certain people only, you put doors and access control points in different places, you put a fence around your property that supplements the doors, you close windows, you close curtains and blinds and then, you undo all of that by exposing everything in social media, because on line is different. 

Understand the threat

The simple rule is online is no different! You shouldn’t do anything online or with online visibility or say anything that you would not be prepared and confident to do in front of the same audience in the physical world. If connectivity is that important (and it probably is in today’s society) then it is essential that you understand the threat and have the digital equivalent of all of the physical security measures, you find normal.

So, who are the threat actors, what are the threats and what motivates people to attack vulnerable networks and what networks and devices are they after? Essentially there are seven types of threat actor and these can be defined as, Nation State, Non-Nation State, State Sponsored, Terror Organisations, Hacktivists, Criminals and accidental. 

Even though the Nation State actor sounds very “Enemy of the State” like, few people realise that some country’s intelligence machinery do have an interest in small companies, in people with connections, in innovations. It may not necessarily be what you have on your network that they are interested in, but it may be a customer of yours or another connection or a connections connection. Nation State intelligence activities will go down to the lowest levels, the individual and individual devices, if they need to, you could be a target.

Last year Microsoft identified that more than 8,000 of its enterprise customers had been targeted by nation-state hackers. 

Non-Nation State actors are large transnational organisations that are not necessarily country specific but have a global influence and power. They can include lobbying groups and more. State Sponsored is where a state contracts another country or a criminal network to carry out attacks on their behalf; this type of attack is more common than you might think. 

The threat of Cyber terror although real has not really materialised in a huge way. So called ISIS had a strong cyber arm called the United Cyber Caliphate that was destroyed by allied air attacks in Iraq and Syria as well as targeted offensive cyber operations from the UK and US amongst others. However, it has been replaced by a new organisation called the Cyber Caliphate Shield and they boast of their hacking abilities in encrypted closed forums. 

Hacktivists, out to cause disruption and mischief and criminals, out to steal personal data and money are probably the largest percentage of cyber actors as the financial rewards can be huge. Organised crime is involved in in both and you should be aware that Europol estimate there are 5,000 Organised Crime Groups they are investigating. However, the most common threat to any network is that caused by an accident. Usually someone doing something they shouldn’t but for sound reasons. The cause tends to be cultural or training related. 

All of these actors can use the same attack vectors, and these include Malware, DDOS (Distributed Denial of Service), Phishing (including Spear Phishing and Whale Phishing), SQL Injection, Man in the Middle, Cross Site Scripting and Password attacks. The best way to keep up with the latest attack types and how to counter them is to read the annual reports from the liked of Mandiant and to subscribe to updates from the National Cyber Security Centre (NCSC). 

The reasons why attacks occur will allow any potential victim to try and work out their vulnerability. Attacks are generally for political or military gain, data or information theft, disruption, financial gain or are ideological for example an animal rights group (non-state actor) attacking a drug research company. Data or information could range from personal and financial data (remember if any personally identifiable data has been compromised then it is likely you have suffered a GDPR breach) or intellectual property or business intelligence. 

It is not uncommon that when a member of staff leaves once role, whether amicably or under less amicable circumstances, that they take business related data with them. 

So how to mitigate the risk? One thing to realise is that like a determined, well trained, resourced and experienced burglar, if they want to get into your property, they will. Fortunately, there are few who meet those criteria but the best way to suggest they find a different route to getting that they want is by having good basic security capabilities in place. 

Lead from the top

This must start with a culture, the culture that security, including cyber security is everyone responsibility and not just the IT department. That culture must be led from the top and have no exceptions. In a report cited in ‘Information Age,’ it stated that, “Globally, 40% of companies cited their c-level employees, including the CEO, as their highest cyber security risk.”

Key to getting that culture right is to have good basic security awareness and training and a security minded culture. Teach people what phishing attacks look like and how to recognise them before the digital mistake of clicking on a malicious link happens. It is easy to get software to monitor networks, look for threat actors and threat vectors, even automatically deal with anything nasty inside the system but that software doesn’t extend into the workforce. How do you digitally immunise them? It is through education and culture. 

Once you get your culture right then it is worth investing in your networks but one without the other will leave any business vulnerable. The most important thing on any network is to ensure all of the software including most importantly operating systems are kept up to date with the latest vulnerability patches and updates. WannaCry and Not Petya were hugely successful because they attacked via vectors that if they had been updated and patched properly, the impact of the attack would have been greatly reduced. The Department of Health and Social Care (DHSC) estimated that the WannaCry attack of 2017 cost the NNS £92 Million in direct costs and lost output. The shipping giant Maersk estimated the cost of the 2017 NotPetya attack for it was $300 million. 

The key to staying safe in the cyber environment is to think of it holistically with the physical environment, identify the risks and threats in the same way and mitigate them using the same principals. Do the basic things well and correct all of the time with a culture of positive ownership of security responsibility by all and you will make it difficult for anyone to get into your systems.

If the risk form lost business, lost reputation, stolen intellectual property were not enough the potential fines under GDPR should ensure that C suite oversight of security, including cyber security is something on every board meeting agenda. The greatest difficulty is the measurement of success is that nothing happens, and senior management needs to realise that that the cost of something happening, could be catastrophic. 

With the explosion of IoT devices and interconnected gadgets carried by everyone today, the threat landscape is growing exponentially. The basics cost very little to implement and good leadership to maintain. Cyber security is as much a leadership and cultural issue as it is technical solution.

Philip Ingram MBE is group head of content at Nineteen Group