If there’s one key question that business leaders should ask themselves it’s ‘What system, if it stopped working tomorrow, would cause me to turn off the lights, shut the door and hand the keys back?’
That’s your Achilles heel.
In June CodeSpaces, a US business, which had hosted software code in Amazon’s cloud, had its Achilles heel penetrated when it was targeted by a distributed denial of service attack. The company didn’t pay a ransom demand to the malicious hackers, but nor could it rely on recovery of the business through the use of its back up systems – they too were online and had been compromised.
In a matter of hours a malicious act brought CodeSpaces – a tech-savvy business– to its knees.
A number of the organisations I have worked with over the years have had a very poor, sometimes bordering on negligent, attitude to information security and related risks. They have managed to get away with it to date, which in the minds of the organisation’s management, reinforced their approach. This approach relies completely on luck – and some companies do benefit from luck, but CodeSpaces demonstrated just how quickly luck runs out if a business is targeted.
Just recently we performed an information security and risk assessment for an Australian-based organisation. The organisation had passed over sensitive data to a third party, which was developing an internet facing service for them. This was done in the absence of any ongoing contract or confidentiality agreement between the organisations; no validation of police checks or staff vetting for employees of the third party; there were also no controls imposed on where and how data would be stored or used. The business approach was just to make it happen.
Providing a third party with your data extends the risks to the business. Those risks should be assessed beforehand and appropriate measures put in place to provide protection against a rogue employee, network breach or something less sinister, such as a test environment being mistakenly published on the internet because the ramifications of such events taking place can prove catastrophic.
I acknowledge that I take a very strict approach to keeping data safe – that’s my job and that is what my clients expect. This approach extends to my family’s data. Like many home users, we are heavy users of internet services such as TV streaming, Spotify and iTunes in addition to our ’computer based’ usage. Given all of this internet activity, I still ensure that there are adequate controls in place so, for example, there is no remote access.
My home security is designed to reflect an assessment of what’s important to us. The risk of losing valuable items (credit card information) and memories (movies and photos) is too great. One of the things I do is keep photos and movies isolated from the internet and take backup copies of data to a relative’s house on a periodic basis.
In just the same way, businesses need to understand what is vital to them, what can’t be replaced. And this is a job for the business – it can’t be abdicated to IT.
One of the problems is that business leaders expect IT to handle the issue of security however IT does not always possess an appreciation of the organisation and what information is valuable and why. This information is often well understood by business leaders, who understand the regulatory or legal landscape and competitive pressures. For example, IT might not know that the reason a financially regulated firm needs to protect client data is because APRA may suspend the organisation’s licence if there is a material breach, or to understand why customer credit card details cannot be stored in an unprotected format.
I recently went on holiday to London with my family and we went to the Tower of London. The Crown Jewels – the most important things there - are kept beyond the moat, within the castle walls, inside the high security Jewel House which keeps visitors under control by standing them on a moving walkway surrounded by guards. I’m backing that there is a nice insurance policy associated with them as well.
There is a very real need to balance security controls - the Crown Jewels can be seen by the public and are used on special occasions, but then securely stored at other times – businesses need to work out how to protect their key systems, but also allow them to be used to run the business efficiently. It starts with identification, if you don’t know what you rely upon how can you possibly protect it?
From a practical perspective there are six critical steps that businesses need to take to determine which systems are critical for their success and how best to protect them.
- Step one: You have to get the right level of buy in from the top – board level sponsorship. If the CEO turns up to the discussion then everyone turns up. If you start with IT then the risk is that the issue won’t receive proper levels of attention.
- Step two: You are looking to achieve business continuity – this requires input and insight from the CEO (or designate), CIO or CSO, plus key individuals from marketing, legal risk, compliance and business operations depending on the focus of the business.
- Step three: Hold a meeting that concentrates purely on this issue, and hence is able to identify what is important. Have that facilitated by an independent consultant who can strip away the politics; someone to play devil’s advocate and take a different perspective in order to help identify the corporate ‘crown jewels’. Someone who has experience in this area.
- Step four: Create a risk register and prioritise the risks and remediation activities. Some risks may need to be identified and dealt with pretty quickly. The risk register needs to be owned at a high level and brought to the attention of the board.
- Step five: Create an action plan that will help a business navigate and manage the risks on the risk register and identify the owners of individual issues, establish accountability and report back to the board.
- Step six: Repeat. The speed at which business and regulation changes means that the risk register should be reviewed at least bi-annually and possibly quarterly.
Remember, the security controls need to be tested. Regularly assess what you are doing, how you are doing it and if these precautions match the risk. If you don’t have the experience or skills within your team then engage them from reputable sources.
Remember the name of the game is to keep your hands on your crown jewels, and others’ off them.
Marc Tapping is a senior manager in BDO’s technology advisory group.