by Steve Durbin, Global Vice President, Information Security Forum www.securityforum.org
The adoption of information technology varies widely across the legal profession. Some firms are at the leading edge in their use of things like smartphones, tablets, social media and cloud computing, while others see no reason to move on from their Windows 95-based software. But wherever you are on the scale, one thing is for certain: the range and severity of threats from cyberspace are growing daily, and the adoption of new ways of working and ‘consumer’ technologies are making cyber security an even more complex and challenging area.
Cyberspace has entered virtually every aspect of our daily business and personal lives. On the plus side, this has brought enormous opportunities and benefits through increased innovation, collaboration, productivity, competitiveness and customer engagement. On the downside, we face an ever-growing variety and frequency of threats from ‘malspace’ – an online environment inhabited by hacker groups, criminal organisations and espionage units.
At the same time, we are seeing a growing trend towards bringing consumer-oriented devices and social networking behaviour into the workplace – especially with the rise of the ‘Millennial’ (or ‘Generation Y’) workforce – which open up new channels for hackers and criminals to target companies in new ways.
BYOD opening the door
People started asking for permission to use their personal mobile devices for work – so-called ‘Bring Your Own Device’ (BYOD) – some time ago, but the rapid adoption of smartphones and tablets has seen this trend accelerate over the past couple of years.
Consumer-oriented devices such as netbooks, smartphones and tablets are becoming more affordable, more powerful and better connected. In many ways, the capabilities and convenience of these devices have already surpassed those of the laptops and PDAs traditionally offered by organisations.
This trend will only establish itself more firmly in the future as attractive new devices hit the market and the distinction between home and office working becomes increasingly blurred.
We are increasingly using our own devices for more than just email access, and are connecting them directly to internal information resources. By bringing these devices into the company’s ‘safe zone’, we are also opening up new channels of attack and placing potential new malware hosts inside the ‘firewall’.
If not managed correctly, the use of consumer devices for business could potentially take them completely out of the control of companies, and it may take some time – and possibly new technologies – before the confidentiality, integrity and availability of business information are protected to an acceptable standard.
Completely prohibiting the use of consumer-oriented devices for work is unlikely to be practical, let alone successful. We need to consider how to manage the risks while enjoying the benefits of this trend.
Social networking: the enemy within?
Social networking sites are now hugely popular and global in scale – Facebook alone has more than 500 million active users – and they are a growing aspect of work life.
Among the family, friends and business contacts who people connect to through social networking sites, there are many kinds of stakeholder relationships that involve a wide variety of ‘social’ and ‘networking’ interactions and information exchanges.
Among these, there will be criminals looking for information they can use to their advantage. This may be information that could be used for identify theft, hijacking of accounts and extortion. Old scams – like the Nigerian ‘419’ scam – find new life within the social network. Scams such as the ‘Help, I’ve been robbed!’ scam are new and improved versions, with added credibility – especially when they apparently come from people we are connected to on social networks.
Ultimately, information entering these sites is uncontrolled – even if employees use their privacy settings and restrict access to their friends, they have no control over what others choose to do with the information that they can see.
Once information enters the domain of the social network it is almost certain that it will exist forever, and something that can appear innocuous – for example, “I am at a conference on outsourcing” – can result in unintended consequences, such as “Wow, we are all being made redundant!”.
Even trivial information can have value and, when even trivial information is set free into the Web then it can morph in ways that cannot be foreseen. A classic example is the (now retired) site pleaserobme.com which simply trawled social networking sites to compile a list of when people were on holiday and ‘available’ for a robbery.
Technology will of course have a role to play in tackling the rise of cyber threats, exacerbated by the trend towards BYOD and consumerisation and the use of social networking in the work environment. But more important than this are initiatives that engender a security-positive environment across the firm.
Many organisations run security awareness campaigns and spend significant sums on educating, informing and ultimately attempting to change staff behaviour so that it is ‘security positive’. The aim is to ensure that everyone thinks and behaves in a way that prevents important information from being compromised or disclosed to unauthorised individuals.
Historically, most awareness-raising efforts have been focused on the content of messages (that is, knowledge transfer), resulting in ever more inventive computer-based training, improved poster campaigns and more engaging films. Evidence from ISF Members suggests that, while they are superficially impressive, these methods leave only a fleeting impression and typically fail to change people’s behaviour in the long term.
There needs to be greater emphasis on fostering the exchange of information security messages that are meaningful at a local and personal level and that are practical, easy to understand and regularly reinforced.
The creation of a security-positive environment requires effective communication about information security in the workplace: this is where staff handle information and where the risk of incident is high. The role of the security practitioner is to support this process by helping to develop forums that allow local staff to discuss information security and its effect on their work, effectiveness and success.
This process should lead to the widespread conclusion that bad security is bad for business and that everyone needs to take responsibility for how they handle information.
As so much depends on how staff handle information it is essential that they are empowered to take a more active role in information security. Security practitioners should give responsibility for information security back to the business.
Cyber threats are not just an issue for the information security function: they require the involvement of every discipline within the firm. A coordinated, collaborative approach is needed, lead by senior practice leaders – preferably the partners. Organisations need to coordinate with customers, suppliers, investors, the media and other stakeholders, to build resilience that allows the organisation to prepare for events that are impossible to predict.
This means assembling multidisciplinary teams from practices and functions across the firm, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly – at the speed of a tweet – to an incident by communicating with all parts of the organisation, individuals who might have been compromised, regulators and other stakeholders who might be affected.
One fundamental component of cyber resilience is a governance framework with board-level buy-in for monitoring cyber activities – including monitoring collaboration with business partners, and the risks and obligations in cyber space. Organisations need to have a process for analysing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.
Furthermore, organisations should apply the same partnering approach internally; sharing knowledge and best practice across different groups.
In addition, we need to extend risk management focus from pure information confidentiality, integrity and availability (CIA) to include other risks, such as those to reputation and customer channels, and recognise the unintended business consequences from activity in cyberspace.
It is not enough to establish cyber security alone. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organisations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organisations will be subject to cyber attacks regardless of best efforts to protect themselves.
Above all, cyber resilience is about ensuring the sustainability and success of an organisation, even when it has been subjected to the almost-inevitable attack.
To help organisations identify and plan for the increasing range of cyber threats in today’s interconnected, always-on world, the ISF’s Threat Horizon 2014: Managing Risks When Threats Collide report provides a forward-looking overview of security risks, likely business impacts and practical, business-oriented action plans. An executive summary of the report is available on the ISF website, and the full report is available to non-Members for purchase from the ISF’s online store at: https://store.securityforum.org/shop/
by Steve Durbin, Global Vice President, Information Security Forum www.securityforum.org