Organisations need to look wider than hackers and disaffected employees if they are to manage cyber security effectively.
In this extract from his book on Cyber Security aimed at non-technical executives, TEISS head of consulting Jeremy Swinfen Green argues that organisations need to manage the threats from outsiders, insiders and, crucially, “inside-outers”.
Understanding where cyber risks arise and who can be responsible for them is essential if these risks are to be managed effectively. A holistic approach is needed here. Yes of course you will need to look at the organisation’s IT infrastructure. But you will also need to look at how your employees interact with that infrastructure. And you will need to examine how anyone else has (or could have) access to your organisation’s information systems – suppliers such as cleaners, and parts manufacturers, partner organisations such as marketing agencies and accountancy firms, ex-employees and customers.
In other words, cyber security processes need to deal with three types of people: outsiders, insiders and a set of people that we will call ‘inside-outers’.
Outsiders are people who don’t work for your organisation. These can be:
- Hackers who enjoy the challenge of breaking into your computer systems.
- Hacktivists who try to damage your organisations because they disagree with what it does.
- Criminals who are trying to steal information from you in order to sell it, or who perhaps are threatening you in an attempt to extract protection money.
- Unscrupulous competitors (or foreign governments) who are conducting industrial espionage.
These people can do several things to achieve their ends. They can download software (‘malware’) that destroys your computer systems, perhaps by corrupting data or making your computers stop working. They can sneak in and steal your money, information or data. They can even start publishing false information on assets like your website or Twitter page which can cause reputational damage.
Also of interest: 40 years of hacking
Insiders are people who work for your organisation. Most insiders cause damage through carelessness, or perhaps simple naivety caused by the failure of your organisation to educate them about cyber risks. Perhaps they post information on LinkedIn that turns out to be of value to a competitor. Perhaps they lose their laptop and thus give strangers access to the confidential documents they are working on. Or perhaps they are fooled into sharing their username and password with a malicious outsider. The trusting nature of many people is one of the biggest cyber threats there is.
Not all ‘inside jobs’ are caused by carelessness or naivety. Sometimes employees are simply malicious and want to damage their employer or give a colleague a hard time. Perhaps they think they are about to be sacked (or they are planning to leave) so they steal data that might help them get a job with a competitor, slipping it out of the organisation on memory sticks, personal emails or private data stores such as Dropbox or Google Docs. Or perhaps (rather more unusual) they plant a ‘logic bomb’ in your network that will delete files or send out messages should their employment be terminated.
Another problem is the need to manage non-corporate networks. Cyber security tends to focus on the corporate network. But there may be networks other than your corporate network that have information about your organisation.
For instance employees may, with or without permission, be using public services such as Dropbox to store corporate data. The risks here may be obvious in some cases – employees storing prospect lists outside the corporate network is an obvious risk.
Sometimes the risks may not be apparent. For instance a list of Twitter followers may also include prospects and clients. There may be links to e-commerce sites on a corporate Facebook page. The corporate website will obviously contain information and this may be non-compliant with industry regulations or other regulations such as fair trading and data protection. A cyber security process needs to examine anywhere that corporate information (i.e. information about or owned by an organisation) can appear.
There is additionally a need to have robust processes to deal with ex-employees? Do they still have access to some or all of your organisation’s computer systems? This could be information they have on personal devices. It could be (and often is) access to your organisations social media accounts because no one has changed the password since they left. It could even be access to information held in the cloud or on third-party websites like Dropbox, again because no one has thought to deny them access.
Also of interest: Insider breach at Morrisons
Inside-outers are people who don’t work for your organisation but who have some connection with it. They could be people such as the employees of suppliers or partner companies who have some access to your networks.
It is really important to make sure your cyber security strategy considers all ‘inside-outers’. If you discover that it doesn’t then you most certainly won’t be alone. Do your auditors have access to your IT systems? And how about your marketing agencies, or some of your more important suppliers? Of course you trust the people you deal with on a day to day basis. But how carefully do they manage access to your systems?
- Who has access to your systems? Just the people you deal with on a day to day basis or all their colleagues including temporary assistants, and interns?
- Are your passwords ever shared by your trusted partner with their colleagues, perhaps when the person you normally work with goes on holiday?
- What sort of security precautions do your partner organisations take when recruiting new staff who might have access to your information systems? Is their employee training and communication around data protection and cyber risk management adequate?
- Are their technical cyber risk management processes adequate? Do they have robust cyber risk management policies and procedures?
- How physically secure are their offices?
- How much data are you allowing your partners to access and is this appropriate? For instance do you share complete customer data files (including bank details) with a printer when all that is needed is to share names and addresses?
- Do your partner organisations allow their employees to access your systems via home computers or mobile devices? If so how do they ensure these devices are secure?
- Have they had any previous instances of data loss of cyber damage? If so how did they respond?
- Are they insured against cyber risk, and if they are would this give you any protection?
If you allow third parties to have access to your IT systems and information you will need to be confident that it is appropriate to do so. Some third parties may have their own independently audited certification and you may feel this is sufficient. Alternatively, depending on your appetite for risk, you may feel the necessity for further investigation through telephone interviews, questionnaires, documentation that describes processes, or even site visits.
Where third parties have no independent security certification you may also want to conduct your own auditing by asking a series of Due Diligence questions such as ‘Who is responsible for cyber security?’, ‘How is information protected within your organisation’, ‘How is your cyber security policy shared with employees?’, and ‘How is the policy kept up to date?’
In each case you will probably want your contracts with third parties to reflect their duties to maintain confidentiality and cyber security.
In addition to an auditing process you should also consider how you will ensure that third parties comply with their claimed security processes. This may include spot visits, in depth investigations of projects selected at random, exploration of incidents that nearly resulted in cyber incidents, and interviews about how they plan to deal with emerging threats. And remember that a basic part of maintaining appropriate levels of security with third parties such as suppliers is communication. You will need to be happy that they will share any incidents or cyber security worries with you so that you can together take remedial action.
Also of interest: Cyber risk in the supply chain