In your house you have various rooms that let you enjoy a high-quality life, each one offering you some cherished functionality: kitchen, dining, billiard, study, library, fitness, music, sleeping …
Now, should you wish to protect your property from unwanted intrusions, suitable technologies exist and apply, such as intrusion alert sensors and remotely-managed video surveillance, which neatly apply to the entire physical perimeter of your property.
Similar to your house, your organisation is most likely structured in functional units, each one offering a specialised service. Similar to your house, defence was traditionally applied to the entire organisational perimeter. The assumption being that the entire external perimeter comprised all relevant assets, both in the physical and cyber world. Solutions like firewalls, for instance, are aiming to detect malicious behaviours and contents at the “cyber border” of the organisation, whatever that be.
What if you were an art collector? Your most valuable assets, period paintings as it were, are likely to be scattered around your property, and doubtlessly command extra monitoring and more sophisticated protection devices. These valuables are likely to substantially increase your security bill, forcing you to decide what paintings are worth the extra disbursement. When your security budget is limited, you must categorise the items to protect by their relevance. As a knowledgeable art collector, you will know which is which.
A likewise situation holds true for the vast majority of organisations, which are complex structures that host valuable assets. Yet, unlike the art collector, they are rarely able to appreciate to the fullest what is the true value associated with their data. If I wish to steal your latest R&D findings I can target your research data. Better still, if I wish to seriously harm your business, I can tamper with your R&D data … or even modify or disrupt your manufacturing processes acting upon your Supervisory Control and Data Acquisition (SCADA) devices and networks, which is very much like substituting a real painting in your collection with a copy. However, while the odds of an art collector recognising the fake painting are very high, the same does not hold true in business. The odds of an organisation recognising sophisticated malicious attacks, as they happen, are minimal. In general, breach awareness is significantly retarded, as cyber-warfare objects could stay dormant or evolve slowly over a long period of time before carrying out their intended mission, and then perhaps exit the stage with a final act of self-destruction, leaving behind no footprint or evidence whatsoever.
In fact, things tend to become a tad more complex, and nastier, in the case of a business. While a house stays a house, and its perimeter is an evident, irrefutable physical entity, the very concept of the perimeter fades away in the case of modern businesses, which more and more become borderless and hybrid organisations, complex networks in which what falls “within” or “without” the perimeter is uncertain, blurred or simply non-defined simply because the very concept of perimeter loses weight or becomes plain meaningless. Furthermore, data value largely depends on the context of the business processes where the data is produced, analysed, edited, posted, dispatched, etc. As modern, sophisticated malware is likely to operate in a process context, it means that there is no perimeter defence that can do the job of protecting one’s data from, say, an insider’s attack. In a perimeter-less situation, the only possibility of success relies on adopting a portfolio of varied, well-focused and adaptive security measures. Please, do note: measures, not simply technologies.
A baseline measure you must take is considering by default that your defences can be breached. So, what you really need to start with are well-defined, clear governance guidelines and rules that can dictate what in your case are correct behaviours. Technology can then be adopted that helps report immediately on any discrepancy or non-adherence to such rules.
The preceding observation about processes leads me to introduce a third – and arguably most relevant – component of any sound cybersecurity strategy: Homo Sapiens. The human factor is in fact the single weakest element in the whole picture. While machine-to-machine processes are gaining increasing relevance, most processes are (still) carried out or governed by humans. Hence, all possible forms of mitigation of human risk-factors should be considered, understanding what they might be within any given process context, together with their possible impacts and on what data … not necessarily IT staff’s competence sweet-spot.
Any robust cybersecurity initiative and applicable measures must take a holistic look, encompassing all three of the above elements – borderless scenarios, data relevance and prioritisation, human actors. As cybersecurity is still largely confused with IT security, we do not often see organisations committed to change management actions, e.g. intended to grow awareness about the risks and characteristics of a highly-digital business, embedded into security budgets. Yet, most fraud is perpetrated from insiders, and most errors come from legal, but wrong, behaviour of loyal and yet non-aware employees.
A well-designed cybersecurity measure should therefore always be made of three different components: adaptive enabling technologies, well-governed business processes and educated, highly-aware staff. The protection of valuable data is therefore the outcome of a co-operative approach, which builds on the census of the most valuable information assets by selecting balanced technology options in the context of critical processes operated by risk-aware humans. It is certainly not easy. Hackers and cyber-criminals know this all too well.
How far is your organisation on the way to fulfil the above recommendation? If the answer is: not too far, then you know you have a way to go. Achieving an organisation-wide situation of cyber-resistance is the goal of a well-designed cybersecurity strategy. Relying solely or heavily on technology is not an option, albeit a tempting shortcut: buy product X or deploy solution Y and you are done. This is often the promise of all vendors, which is a bonanza for them, but no definitive stop to potential attackers.