What are the key technologies that can protect your business from cyber-attacks?
Most businesses would look for technologies such as threat detection, anti-malware, firewalls, and antivirus software. The choice comes down to how often your systems are patched, or what policies and procedures are in place.
However, the biggest threat to a business is likely to be something that they are not aware of. Remember the famous quote from US Secretary of Defence Donald Rumsfeld about the known unknowns and the unknown unknowns? He was talking about intelligence information, but his comment applies to any situation where the risks are unknown.
In the cyber security field, those with malicious intent are constantly dreaming up new ways to attack your business. They seek out vulnerabilities, so the threat landscape is constantly shifting. The only way to address this is to continually evaluate the risks to your business so that you can put appropriate mitigation and controls in place.
This is where the Information Security Manager comes in. They help businesses evaluate the threats they face. They can explain the company’s vulnerability to each type of risk and – perhaps their biggest challenge – what the potential impact is. While most people find it straightforward to grasp the impact of the office burning down, it can be much more difficult to grasp the full implications of a cyber-attack.
The shipping firm, Maersk, is a classic example. Infected by the NotPetya malware, its operations ground to a halt. While data was backed up, applications were not only infected but also destroyed so the data could not be restored. This led to fixed phone lines becoming inoperable, and contacts being wiped from mobiles because they had been synchronised with Outlook.
To minimise the risk of cyber-attacks, the Information Security Manager will present the risk framework to Senior Management, who can then make an informed decision about their company’s Risk Appetite i.e., the extent to which they wish to protect themselves against each risk, considering the company’s ethical stance, the legal frameworks it operates in and its security requirements. For example, the security requirements for a bank will be different from those for a construction firm.
The Information Security Manager then works across the business ensuring appropriate policies and controls are in place, educating people about security and then monitoring and ‘marking their homework’ to ensure that they comply. They would be responsible for explaining the risks and their implications and convincing members of staff of the importance of complying with security policies. They also need to be confident in what they know and be able to explain clearly why they are recommending a particular course of action.
Smaller organisations may choose to outsource the Information Security Manager role due to a skills gap. This has the advantage of bringing in an impartial third party, who may be better equipped to communicate the issues, and to ‘speak truth to power’ i.e., provide Senior Management with what may be unpalatable information about potential risks and the need to address them. But whether handled in-house or externally, the information manager is vital to effective cyber security.