The majority of company executives say they are concerned that their appreciation of information security risks is insufficient, and they have no idea which countermeasures should be implemented in their organisation. Technology vendors tend to oversell the importance of the threats their products mitigate, while many other real risks go unmanaged – yet an even bigger issue is that even what seems like the most basic security control, such as making sure systems and applications are patched, is badly serviced.
This concern is only exacerbated by the rest of the security industry, where there is a habit of focusing on tools and shiny new technology rather than the fundamentals of good security practice and the discipline of risk management. Good practices, such as those proposed in the ASD’s Essential Eight are not being done well, but it’s time for CxOs to spend the time required to understand the problem and really challenge their staff to develop good security hygiene for their businesses, otherwise their security dollars won’t mean anything when their organisation becomes a target.
What’s the Problem?
The last five years have seen the information security conversation change considerably – even changing its name to the ubiquitously used ‘cyber’. Now, information security is discussed as a board agenda item, especially since many of the world’s largest brands have been hacked; names like Target, Sony, Ashley Madison, Equifax and Anthem, along with the local victims of cybercrime, like the Bureau of Meteorology, the Australian Bureau of Statistics and the Red Cross all have been in the news for one reason or another. So, with all this media coverage, you would be forgiven for thinking we are dealing with a complicated, sophisticated threat that knows how to evade our modern cyber security systems. However, this is as far from reality as you might get. Most cyber criminals (nation states excluded) are largely petty criminals with little to no actual hacking ability. They may have bought the services of a hacker to develop some custom malware or hired a denial of service attack from a Russian gang, but at the end of the day, they are just the same old criminals we’ve always dealt with, only in a slightly different setting. And the real reason they are not sophisticated and don’t need to be is because we generally don’t even get the basics right in our cyber defences.
Simple security controls, such as patching operating systems and applications, turn out to be really hard for most organisations to do well. Which leads to a badly executed implementation or it being ignored altogether. Management are making bad decisions to balance running costs and operational up-time against the risks of not patching, without understanding the risks or believing they won’t fall foul to the same threats that everyone else is being affected by. The question is, how can a business find the balance point that sits between keeping their systems safe and keeping the business running? Let’s consider this from a board perspective.
Investing in Cyber Defences
Hackers typically target vulnerabilities that are widely known about in the security community. In fact, most known vulnerabilities could be patched, since responsible disclosure from the security research community gives the vendors enough time to create the update before the vulnerability is made public. If you fall foul to an attack that uses one of these known vulnerabilities, it could have been avoided by applying the patch. Looking at the most recent spate of ransomware outbreaks, WannaCry and NotPetya, if organisations had patched the Windows vulnerability when it was released, they would have prevented WannaCry from doing so much damage two months later. That is two full patch cycles from Microsoft, so companies would be at least 60 days behind in applying operating system patches.
However, most operational teams are stretched thin, almost to breaking point. They typically have an escalating workload with digital transformation taking services into the cloud, hybrid architecture migrations, mobility, etc. all of which make operating ICT systems a hard task. But experienced operations managers know that the keeping the lights on approach to services can only work for a short while: and what was once a small crack, soon develops into a crevasse, making it exponentially harder to fix.
The ASD published its Essential Eight: Strategies to Mitigate Cyber Security Incidents in February 2017, which highlights the top security controls that organisations can use to mitigate the vast majority of cyber-attacks – over 85%. Patching your operating systems and your applications are two of these fundamental mitigation strategies, along with restricting administrative privileges, disabling office macros and taking a daily backup of your most important information. If your operations team focuses on keeping these controls updated and functional, most attacks will fail. Even ransomware, such as WannaCry, will fail, but even if it happens for some reason to succeed, your backups can be used to recover your data.
How can the Board Help?
Executive directors and boards mustn’t ignore cyber risk or leave it to lower level managers or operational teams. However, they don’t need to get into the weeds to be effective, rather they should require their security managers and operational teams find a way to convey their concerns in language they understand. The board should create a culture of open reporting, where risks and issues can be raised, especially if those risks could lead to a security incident. No executive wants their business in the media because of a data breach, so if cyber issues can be expressed in metrics that relate to the business context and explained as risk exposures against preconceived tolerance levels, the conversation will change to focusing on what’s important. Boards certainly do want to know if the business is at risk and will want to help address the issue if they understand its impact.
Even patching should be raised to the board if it’s a problem. If you have a bespoke application that needs you to hire a developer and spend money on an operational system to implement the updates, this is something the executives can make a decision on rather than being something they never learn about. No middle manager has the right to make these big decisions without escalating to the board, so the board needs to encourage this behaviour.
Summing it Up
There are a variety of cyber security controls you can use to make your business secure. Yet, perceived pressure from executives (and middle managers) often forces operational teams to ignore even the most basic cyber hygiene – meaning the board only learns of the issues when the organisation suffers an attack. Boards should encourage open reporting and embrace the fact that some of their ICT budget needs to be spent on security. And the fact is, most will, as long as they understand what the money will be spent on.