When Code Spaces, a software collaboration company, closed its doors in June after an attack on its computer systems, it should have sent a shiver up the spines of any business which relies on computer systems and data to run its business (Source: theregister.co.uk).
That’s all of us.
The company – a technologically savvy business – was brought to its knees by a denial of service attack which shut customers out, and an extortion attempt where the as-yet-unidentified attackers held the company’s data and computer access to ransom.
Code Spaces was not able to survive the onslaught; the cost of resolving the problem was greater than its ability to continue the business.
The question is, could your business be just as vulnerable?
Only by conducting a thorough business risk analysis, which takes into account all elements of the business supply chain, can an organisation identify potential technical and systemic vulnerabilities and hence know how best to protect itself.
The types of attack on information systems are becoming more complex, more targeted and more difficult to defend. Even if you feel secure, an attack further up your business’ supply chain could impact connected networks.
A global survey of IT and security managers in some of the world’s leading utilities companies released in July, found that only 17 per cent had fully deployed security systems capable of protecting their industrial control systems (ICS) and security control and data acquisition (SCADA) systems – the very systems that control electricity, gas and water supplies. Yet 67 per cent had experienced a disruption or loss of confidential information in the previous year (Source: Ponemon Institute/Unisys).
The collapse of Code Spaces will have a relatively contained impact, however if utilities are attacked electricity supply and critical infrastructure for entire regions could collapse.
There is an increasing number of attacks being launched by sophisticated and well trained individuals, who may be involved in organised crime or work for nation states. There is also mounting evidence of targeted attacks by overseas groups seeking to acquire intellectual property. The threat to start-ups is particularly acute - if someone stole IP and used it rapidly to get to market then the original IP developer’s first mover advantage is lost.
It is critical that organisations take a sophisticated business risk management approach to protecting their systems and businesses. Simply installing a new firewall won’t cut it.
In any case corporate data is often no longer stored in a single location. The advent of cloud computing and increasing mobility of staff means that company data is widely dispersed. What would happen to your business if your cloud computing provider suffered a denial of service attack? If one of your staff loses a tablet with important blueprints, can that tablet be remotely wiped and disabled?
From a technical standpoint, the Federal Department of Communications’ Cloud Computing Regulatory Stocktake issued in May and the Australian Signals Directorate provide useful guidance when thinking about how to measure and manage cloud and technology risk.
But business needs to look beyond a set-and-forget technological response. Companies need to perform holistic and regular business risk analyses to assess threats and preparedness, right down to regular review of the training and HR policies of an organisation and the contracts it has with suppliers.
Complacency is the killer, compounded by the challenge that technology professionals sometimes face when attempting to communicate to business professionals the extent and ramifications of cyber attacks. “It will never happen to us” is true until it does.
Those businesses which harness well designed and comprehensive business risk frameworks to identify and quantify the business impacts of losing access to critical information systems, essential services across the supply chain, or having their data stolen or compromised, are better placed to attract the attention of senior executives and the board, who will ultimately wear the consequences of any lack of preparedness.
Some regulated sectors – for example those which fall under APRA’s aegis – are already keenly aware of the issue and obliged to perform regular risk analyses and system testing.
The March introduction of new Australian Privacy Principles should also have lifted the issue of data security to board level – the fact that there are now civil penalties of up to $1.7 million which can be imposed on companies which fail to fully comply with the new data protection laws tends to focus the mind.
That’s the stick.
The carrot is that a company which fully understands the risks can better prepare to tackle them, identify and plug vulnerabilities, test their preparedness, and potentially use that added security as a competitive edge.
After all, if your home is more secure than your neighbours’, then it is less likely you will get broken into.