Sony was possibly the most famous victim of it and French broadcaster TV5Monde is currently the most recent headline case. Cybersecurity has become one of the hottest topics of recent years. While governments may get nervous about the possibility of terrorist cyber-attacks, for businesses the consequences of even a low-level IT security breach can be devastating and quite possibly fatal if not to the employees, then to the company itself on which they depend for their livelihood. It can also have a long-term impact on the careers of management professionals, particularly, but not exclusively, those involved in IT.
In spite of this, according to research carried out by Robert Half, one third of companies surveyed said that cyber security was not a senior management priority. Interestingly almost 40% of companies said that this was because they did not perceive any imminent threat. It’s tempting to point out that the White Star Line did not perceive any imminent threat to the Titanic when it set sail from Southampton in 1908. This is much more than a flippant comment. Pretty much by definition, when a threat become imminent it generally becomes harder to avoid and harder to manage if it does happen. By contrast, if reasonable precautions are taken in advance, it’s more likely that threats can be kept at a distance and the damage limited if they do occur. By this point it’s well-documented that the Titanic had too few lifeboats for all the passengers since the White Star Line thought it was safe to assume that there would always be a friendly liner passing to help them out if need be.
In terms of cyber security, today’s lifeboats are:
Protection Against Viruses/Malware
Often these areas blend into each other.
For example, network security is more than just installing firewalls, it involves training staff to understand the importance of protecting their security details, even from friends, family and colleagues they trust. E-mail security is more than just installing spam filters and monitoring for questionable links and attachments, it’s about training staff to be aware of the threats e-mail can contain and to take action if they think they have identified a potential issue. The reality is that cyber threats are constantly changing and that therefore it is always possible that a malefactor can slip past even the most sophisticated automated defence systems – which is why human judgement is still so useful. Anti-virus and malware protection is a straightforward concept in itself, but these days malware comes in many forms, some of them quite tempting to staff. Additionally there is a large body of software which may or may not be considered malware depending on your point of view. Yet again this is an area where it is critical that staff of all grades have a clear understanding of the importance of security.
The importance of a coherent physical security policy was demonstrated recently in quite spectacular style by Christie’s auction house. They locked £700K of valuables in a safe – but left the key to the safe in an open drawer. A thief found his way in and took everything. The police caught the thief, but most of the items are currently still missing.
Although this incident relates to physical security (or lack thereof) it does illustrate three key points in cyber security.
Firstly, regardless of whether the thief/hacker is caught, it’s an open question whether any punishment levied on them will make even the slightest bit of difference to the situation the company in question has to deal with. It’s also an open question as to whether any punishment would actually act as a deterrent to others.
Secondly, if a company falls victim to a cyber attack, it may never ever be able to recover what it lost. In this case the items taken were valuable and unique antiques. In the case of IT security breaches, the biggest losses of all are likely to be those of trust and respect. Sony is a classic example of this. The hackers gleefully published e-mails in which Sony employees made derogatory remarks about well-known figures in the entertainment industry. The fact that those e-mails may have been written by employees who were simply having a bad day was irrelevant, as was the fact that they were never intended for public consumption. The fact that they existed could quite easily be viewed as a breach of both trust and respect on the part of Sony and it is therefore hardly a surprise that Sony was obviously embarrassed about them and suffered reputational damage itself as a result of their publication.
Thirdly, maintaining security whether physical or digital requires continual vigilance supported and, where necessary, enforced, by trained and motivated staff. It is unclear whether leaving the key to the safe in an open draw was an error of process or simply staff error, but in either case it absolutely should not have happened. Another, even more spectacular example of lackadaisical security was the recent robbery in Hatton Garden, London. Newspapers are reporting claims that on-site security was alerted to a problem but did not go into the vaults to check that all was well. While newspaper reports do have to be treated with caution, this story does offer a valuable lesson to businesses. As is so often the case in life, if you get the right people in place and give them the time, tools and motivation to do their job to the best of their ability, good results will follow.