Cyber Security - been compromised yet?

Been compromised yet?

It is not if…it’s when.  Thanks to the increasing prevalence of IT use and utility in so many aspects of our lives and our increasing reliance on it, sadly we continue to see increasing levels of cyber threat.  Increased use and reliance present increased opportunity.

Cyber security is both a personal and a business issue.  However, it is the business aspect we are concerned about in this article. We look at what is happening, who in an organisation is responsible for cyber security, and some practical steps to protect your organisation.

What you need to know

• The issue is big, continues to grow fast, and is potentially very disruptive and costly 

Malware, phishing and credential harvesting, ransomware, scams and fraud, unauthorised access and data breaches, denials of service attacks are all regularly seen in New Zealand. Sadly, New Zealand’s honest and trusting business environment makes us a lucrative target for international hackers and bad agents.

Data from agencies such as CERT (our Computer Emergency Response Team and a great resource on threats and practical advice www.cert.govt.nz ) reports an exponential level of growth in attacks.  COVID and people working remotely has provided more opportunity for attack and has just exacerbated this growth.

Regarding disruption, ponder how well your organisation could work with no access to computers or phones?

• Cyber risk affects your organisation

If you use IT at all then your organisation is at risk.

The media continues to report high profile cases, usually of large high-profile organisations.  Recent examples include the compromise of Waikato DHB’s systems or some of our major banks being offline for a couple of days due to attacks.  However cyber security experts will tell you this issue is significantly under-reported in the media and impacts all sizes of organisation.

The natural human reaction to these is a sense of schadenfreude – that lovely German word meaning “pleasure derived by someone from another’s misfortune”.   We are initially shocked and “tut tut” and wonder why they didn’t have better systems.  However, another common human reaction after brief feelings of interest and concern is apathy.  We get back to being busy and concerns that this could happen to us diminish in our mental real estate.

Don’t succumb to this!  You best protection is the realistic awareness that this can happen to you and taking action to prevent, prepare and plan your response.

• Cyber security is an organisation issue and not an IT issue

Many people have a simplistic view that if the threat uses IT, then the solution must just be an IT one.   This is wrong. 

For any organisation to continue to be sustainable it needs an appropriate combination of people, processes, and technology.   IT is a tool, but it only operates within a wider organisation eco-system and takes people to run it.

It therefore needs attention starting at the highest level of any organisation.   It is firstly a strategic board issue.  Secondly, it is a core management operational issue, but it also requires buy-in and vigilance from everyone in an organisation if you are to remain safe. Hence it also becomes a cultural issue.

• Nothing is static

Cyber security is not a once only fix or cost. 

There is wonderful innovation in technology every day.  Sadly, this includes innovation by malicious individuals looking to use IT to defraud or disrupt organisations. Awareness and keeping up to date is important, as is revisiting and refreshing your systems, plans and processes when appropriate.

What you should do

It is useful to think of cyber security in 3 areas:

• Protection
• Detection
• Response and recovery

IT experts often suggest that as a rule of thumb that both your cyber security effort and ongoing budgeted spend should be evenly spread across these 3 areas. Traditionally this has been greatly skewed towards protection in most organisations. This needs to change.

Only some of these areas include actual IT solutions.Awareness and understanding of likely threats, what assets you should be trying to protect, regular training, and a practical plan that can be implemented when issues occur are all essential ongoing factors in a good cyber security system.

Rather than being able to keep every threat out (an increasingly impossible aim), speed of detection of a breach has become increasingly important.This then allows a prompt response.

Have a plan.  Then when the inevitable happens you have a clear process to work through to hopefully minimise disruption to your organisation.

We also subscribe to the view:  “It is better to be prepared for a risk that doesn’t eventuate than to suffer it and not be ready.”

1. Keep up to date and awareness raising – Ensure you have good systems for remaining aware of what is happening and changes that may impact the sustainability of your operations.   Signing up to updates from organisations like CERT is a simple advisable step.  Ensuring you have access to experts in the area and keeping in touch with them and your technology suppliers for updates.
2. It’s a team game – All your team will use IT and are part of your organisation’s processes and systems.  Good cyber security should include all your team being aware of the risks, and your organisation’s policies and protections.  Thorough induction, good policies and processes and regular training are key.

Parting thought

As a cyber security colleague of ours says, “Any computer that is turned on is a potential cyber security risk.” 

No organisation is immune from cyber threats.  However, as with any significant risk, the key to organisational sustainability is an appropriate identification and awareness of cyber security threats, and then the subsequent ongoing management of them.