27 July 2017
Cybersecurity – Starting with the basics
For many businesses and critical infrastructures, information technology (IT) has become an enabler, rather than the facilitator it was in the past. More than ever, organisations are relying on IT to support their core functions, create efficiency and be better connected to their customers by delivering cost-effective and user-friendly products and services. However, the introduction of new technologies and features required to continue to meet these demands with success is accompanied by an increase in vulnerability and risk.
In 2016 we witnessed numerous high-profile security breaches around the globe, spanning every industry – from incidents involving the disruption of critical infrastructure to massive data breaches where data was stolen from millions of personal accounts. No business, big or small, can ignore cybersecurity. Small and medium-sized enterprises (SMEs) are often an easier target due to limited security investment and weak infrastructure.
The trend in cyber breaches is set to continue in 2017, with greater ferocity and wider geographical coverage.
IoT and BYOD
The networking giant Cisco estimates that the number of Internet of things (IoT) devices will increase to 50 billion worldwide by 2020 . Companies are encouraging employees to bring their own devices (BYOD) to work to save on costs. As a result, more smart devices holding sensitive information are becoming interconnected, each serving as a potential entry point for attackers.
Data theft can be expected to shift from pure data extraction to malicious manipulation.
Hackers need less experience than they used to, as automated hacking tools are continuously becoming more sophisticated, easier to master and readily available.
Crypto-ransomware will grow and spread into many types of IoT devices, holding sensitive data that is released only after ransom sums have been paid.
In the midst of all the buzzwords and technical jargon, the most important question business leaders should be asking themselves is: How does my organisation approach its cyber-risk strategy?
Six areas to consider for an effective cybersecurity programme
To successfully develop and maintain an effective cybersecurity programme, we propose six main areas for consideration (see Diagram 1):
The primary goal of information security is to enable your organisation to meet its strategic objectives. Policies and controls need to be meaningful. Enterprises need to align themselves with these goals by understanding the enterprise’s risk appetite, its core assets (including functions, processes, intangible and tangible assets) and the risks that these assets are exposed to (see Diagram 2).
A holistic approach must be taken when identifying risks: consider all connections, vendors, suppliers, outsourcing partners and other business partners. Attackers often use these external entities as indirect entry points in order to reach their intended target. In 2014 the US’s second-largest discount retailer, Target, was hacked. The attacker stole network credentials from a third party (a heating, ventilation and air conditioning provider) before gaining access to Target’s system .
- CISCO, The Internet of Things, 2011
- Kerbsonsecurity, Target Hackers, 2014