Dave Daly, Global Head of Consultancy
I had the pleasure of representing Dionach at Bloomberg -Talis Capital’s Cyber Security and Insurance Event (#TalisCyber2015) yesterday (27th October 2015) as part of the panel discussing the “Customer and Forensic Expert Perspective on Cyber Security Products”.
One of the discussion topics was the possibility that, as an industry, we are vulnerable to being dazzled by new technologies, distracted by future trends, and overwhelmed by threat intelligence and security analytics data. In doing so, we are in danger of losing sight of the fundamentals of cyber security.
A key point that cannot be ignored is that data breaches are being widely reported in the media with a high degree of frequency. Recent examples include the following.
On 2nd September 2015 the Independent reported, “Dozens of customers’ private details sent to others via mass emails”. WHSmith confirmed this was the result of a bug in their online contact form resulting in emails being copied to other customers, rather than a breach.
On 10th September 2015, City A.M. reported, “Thousands of Lloyds Premier Bank customers using Royal Sun Alliance emergency cover have had their data “stolen” in security breach”. Initial investigation into the breach by RSA suggested a data storage device had been stolen from one of their data centres, and offered two years’ worth of identity protection as reassurance to affected customers.
https://www.cityam.com/224053/lloyds-bank-customers-data-stolen
On 1st October 2015, The Register reported, “Experian had lost at least 15 million records”. Initial reports indicated the records had been stolen by persons unknown, and included details on T-Mobile contract applicants between 1st September 2013 and 16th September 2015. Further details on this breach have been widely reported in the media.
https://www.theregister.co.uk/2015/10/02/experian_t_mobile_breach_analysis/
Please note these examples are not a definitive list, nor an endorsement of any media or news organisation.
If there is one message to take away it’s that companies are going about Cyber Security in the wrong way; they are investing limited money and resources in the wrong places. While forensic investigations, enforced compliance, additional vulnerability analysis, and more highly qualified security professionals have their place, they are only effective if the following question is considered carefully and answered first.
What are we trying to achieve?
A deceptively simple question, but the answer is more complicated. At the heart of this question is formulation of a defined Cyber Security strategy that has support, sponsorship and buy-in from Board level. The key points to address are:
- Identify your security objectives;
- Decide what you are prepared to do and invest;
- Decide what you are prepared to accept as an intrinsic risk of doing business;
- Determine how you will track your course;
- Implement effective information governance;
Once these points are in place, the next step is to implement an effective information security management framework. There are a number of models that can be applied, with different regions and industry sectors preferring particular standards, but a popular option is the international standard for information security management systems, ISO 27001:2013.
Once these fundamental processes are in place, determining where to spend limited budgets to maximise the return on investment from Cyber Security solutions will become considerably more obvious, the increased resilience of the company will help increase the bottom line over the lifetime of the business, and the cultural embedding of Cyber Security will be something that demonstrates a true market leader.