Archive | Security

Cyber Security – Don’t Be Tomorrows Front Page News

By Christian on 10th November 2015 in C-Suite, CIO, CISO, Security

It’s all too easy to relax your stance on combatting cyber security but in truth every organisation is at risk. Larger attacks are front page news for the media but small and medium-sized businesses are prime targets.

A PWC survey found that companies with revenues under £50m actually cut security spending by 20% in 2014, compared to a 5% increase in security investments by larger companies – making smaller organisations an attractive prospect for hackers. It may just be a case of haggling with suppliers to save the difference in costs or surveying the market for a better and more secure solution at a lower cost but you cannot lower your vigilance.

With the spate of recent high-profile security breaches, it seems all to easy to gain access to the most seemingly secure organisations whom we entrust with our most personal data. Unfortunately, it’s not until an organisation suffers a serious breach do we find out about how lax and un-regimented their security protocols were such as storing our passwords and data in unencrypted files or as clear text.
How many other well-known organisations are still doing this with our data and hoping every day that they are not the next name in the media gaze after having suffered a major breach. With organised crime now clearly targeting cyber crime as a substantial revenue stream, the number and complexity of breaches is and will continue to rapidly escalate.

The cost of a serious breach can be financially severe but more importantly can be catastrophic to your commercial reputation with many organisations failing to ever recover, often with further reputational damage inflicted through poor handling of the aftermath. I’m a great believer in all boards having a technology subcommittee to question and guide on technology issues as all boards have audit, remuneration etc. committees.

To prevent your organisation being susceptible to cyber security you must institutionalise your vigilance and make certain that your policies are well documented and clearly understood by everyone from the mail room to the boardroom (security should already be high up on your boards agenda).
It is imperative that everyone feels a sense of responsibility, is motivated to adhere to your policies and able to accept responsibility on an individual level.
It also means tightly integrating security in to your corporate strategy rather than trying to shoehorn it in at a later stage where it may be compromised or not fully engaged.

Simple things like passwords are still one of the easiest measures to tighten up as they have long been a thorn in the side of any organisation with many using seemingly simple to crack, often generic passwords across multiple services.
Going forward biometrics may resolve a large proportion of password issues and the cost of implementation will fall over time. Biometrics are seen as the next evolutionary stage of managing personal security with sectors like banking currently looking to implement fingerprint technology in to your future debit and credit cards to add an additional layer of purposeful security.

The truth is that many companies may not even know they have been hacked or their security probed until a ‘back door’ is found and exploited well after the attack(s) have taken place. This is a scary scenario and one that shows serious lapses in security practices which are ripe for exploitation by those so inclined.

So to reiterate, make sure your security practices and policies are well documented and clearly understood with everyone motivated and as vigilant as possible to ensure they are adhered to at all times.
After all, you don’t want to be tomorrows front page news!

This post has also been featured on the HP Business Value Exchange here

Water Will Always Find a Way

By Christian on 9th December 2013 in Big Data, CEO, CFO, CIO, Disruption, Governance, IT Leadership, Risk Management, Security

Just like water will always find a way through or around any obstacle, so will people find a way around any security measures you seek to implement.
You may think you have thought of the most foolproof method of managing your data, but as soon as you implement it and ride out the first wave of direct (and often blunt) feedback, people will start beavering away on ways to get around your processes.

Anybody who thinks otherwise is only fooling themselves and will be rudely awakened when a security or other serious data breach occurs.

The best way to remedy this and eliminate it as best you can is to create and reinforce an educative program that informs people of the reasons as to why you are having to implement these policies and not just labouring on the pitfalls of not adhering to your security policies.
As time consuming and labour intensive as it sounds, a period of open discussion and feedback sessions will alleviate some of the staff objections prior to drawing up your policies and generate an enormous amount of goodwill.

Everybody appreciates there needs to be some level of security, especially in heavily regulated or security conscious industries but nobody appreciates dictatorship levels of oppression when they are not completely necessary.
Simply saying it’s a disciplinary offence to not adhere to these policies without explaining them thoroughly first or taking an objectionable point of view on board will alienate you from the very people you are trying to protect.

We’ve all been asked by staff across the organisation if they can use third party file sharing services like Dropbox to share data etc. and had to refuse them on security grounds.
We all know they use these services (and you probably do as well) and trying to implement an internal, secure enterprise version of a similar technology is very time consuming to manage and expensive not to mention extremely difficult to secure.

Smaller companies with less advanced infrastructure will often use third party file sharing services as a low cost and logical extension to their infrastructure.
The security risk to their IPR is no less great than larger corporates but they thrive on the nimble and agile gain that using these services gives their businesses.
When new individuals join your organisation from these smaller and more agile business through acquisition or organic growth, they will quickly challenge any seemingly draconian procedures you have in place. They will challenge you that their agility and productivity is being stifled by these procedures with the very valid reason they are often brought in to disrupt your existing business working in precisely the way they need to.

We need to take on board these new types of people and the roles they perform, adapting the necessary rules and procedures to allow them to go about their business rather than stifling them with regulation.
This is challenging and a bit scary but as long as your security is not diluted too far, adapting to incorporate these new roles and working practices will show your willingness to change and adapt and will not go unnoticed across the organisation.
In the new arena of change and disruption, those who adapt will thrive and those that don’t…. Well, you know how that story ends.

This piece has also been posted on:
The Business Value Exchange in my position as CIO ‘Thought Leader’ and Featured Contributor
The Intel IT Peer Network in my position as IT Industry ‘Thought Leader’ and Featured Blogger
Outsource Magazine in my position as IT Industry ‘Thought Leader’ and Featured Columnist