Why won’t they act?

There seems to be many organisations who speak a good game in press releases, board packs and similar visible public platforms – but show a very different face behind the scenes. I find it of deep concern that ICT risk is typically not escalated to the executive team, including the CFO. The more valuable a businesses’ intellectual property is, the higher the chances that cyber criminals will try to get their hands on it, and this is a business problem, not a technology problem.

The most deadly and damaging attacks today are aimed specifically at an organisation’s data, people, systems, and vulnerabilities. Attacks are more sophisticated than ever before, and more cunning and stealthy.

So how do we explain the phenomenon that when we identify the risk – it is not acted on? Is this because the ICT team feel that if they bring the risk out in the open they may lose face; or even worse – their job? Is it that there is not enough “pressure” actually placed on the business at the highest level to address ICT risks or are we simply dealing with severe cases of denial – if we deny the fact we are exposed to risk; then hopefully it will go away?

I am dumbfounded that so many CFO’s, CIO’s and CEO’s still think that by following the “Audit Requirement” to tick boxes that they are doing ok! There needs to be a drive to move from a ‘checklist’ to a risk-based approach to security. This means that security risk management needs to be an ongoing initiative, not just a yearly assessment. No longer can risk management be driven by compliance certification. The growing number of data breaches have shown that being compliant does not necessarily mean you are secure.

Yet, while security professionals should be changing the ways in which they deal with today’s ever-morphing threats, and approaching security from a risk-based, proactive perspective, many still approach security from a more traditional point of view. Standard defences and protocols are inadequate - they are not doing the job. While they can deal with malware and suchlike, they cannot handle the depth and breadth of today’s risks and attacks.

To have a risk-based approach to security, businesses need to factor in real-time information when running continuous monitoring and identify risk and changes in behaviour. Predictive analytics is available, we can point you to the areas of risk as they happen – but too many of you still don’t move and the problems are not going away.

Any good risk-based security strategy needs to establish what the priorities are, and then make decisions through a system of evaluating the confidentiality of the information, the vulnerability of systems and applications, and the likelihood that a threat might occur.

You cannot deny that threats to organisations are prolific, but too often, it is an insider that enables a hacker, sometimes deliberately, sometimes purely by accident, and these types of breaches can be even more catastrophic than those carried out by outsiders alone. The threat from your employees is a real one. They have legitimate log in credentials, they have access and they know what information you have without having to conduct a fishing expedition. Although outside attackers are a great danger by not monitoring the internal landscape for behavioural issues you will only find out when it leaks in the press.

I can provide an example, without naming the client of course. We recently uncovered, during a Proof of Concept, that a listed business we were working with was exposed to many ICT related risks. One of these was that an internal user shared the completed Audited Financials - in an open, non-secure online file share which was publicly accessible so that anybody could gain access to it - more than three weeks before the release on the JSE. Rather than escalating the need for our solution, the IT and infrastructure team have kept this hidden from the rest of the management team and CFO. Choosing rather to “work on some processes” than put the solution in place and be in a position to mitigate this risk in the future.

The ability to keep sensitive information safe while not looking at every employee with suspicion is a balancing act, but there are several measures companies can take to protect against the insider threat. Primary among these is the escalation of any potential risks and problems to the correct members of the executive team. To do this you need to have complete visibility. That’s the best start.

Too often, security is perceived as negative, and as a hindrance to organisational growth that confines the execution of core business services. Information security professionals and business must work together to be able to enforce security-related policies and procedures. Most importantly, security professionals and business executives need to start working together when thinking about acceptable risk levels. Frequent conversations among executives, technical and department heads to promote awareness and discuss risk are essential.