Can you feel it? We are just on the cusp of change. The summer is almost done, the children will soon return to school and the business world will crank back up to full speed.
When you look back on your summer of 2016, those couple of weeks you managed to get away from it all, did you manage a quiet jog along the beach or the seafront and tell yourself that cyber security doesn’t really matter. The connection between cyber security and a quiet seaside town may seem unlikely but in fact it’s quite the opposite.
A few of our seaside towns are the landing points for the vast undersea cables that physically connect the UK to the rest of the world. The internet, with both its good and bad points, just like invaders and settlers of the past, arrive on the beaches. The locations of these cables are, for obvious reasons, kept as secret as possible so there is precious little chance of you tripping over one, or your youngest offspring chopping through these double-armoured cable with an overly energetic use of a plastic bucket and spade combo.
These cables are an intrinsic part of the UK national infrastructure, which in itself is a collection of assets, facilities, systems and networks that if lost or compromised would have a major detrimental effect of the integrity and delivery of essential services. At some point in the past a list was drawn up, scenarios were played out, and protection was put in place accordingly. As the internet is now a critical communications and trading network, it is no surprise that this is as important as other infrastructure assets, such as food supply, energy and emergency services.
The body that provides the advice for the protection of these assets is the Centre For The Protection Of National Infrastructure (CPNI). They advise a wide variety of government departments for ensuring that appropriate steps are taken within their sectors to improve protective security. This includes advice on cyber security.
The CPNI are willing to share elements of their advice with the wider world via their website and any individual tasked with cyber security responsibilities would be well advised to take a look.
Even though every individual, business and organisation is increasingly aware of cyber risks, kick starting them into actually taking preventative action still proves to be challenging in the extreme. So perhaps a few well-chosen questions posed by the CPNI might help get the conversation (at least) started in earnest.
The first question is : “Who would want access to our information and how could they acquire it?”. Sounds obvious doesn’t it? But when you start to develop an answer for it you will very rapidly start to see the scale of the challenge. By looking at it from the point of view of a criminal, helps identify areas that when looking at it from the point of view of an employee may not have been very apparent.
They follow this with “How could they benefit from its use?”, the answer here is twofold – money, or disruption. If you have something that somebody else can profit from, just like regular crime, and it’s easy to access with little or no chance for detection, then they are going to take it. Any organisation that suffers disruption from a targeted cyber-attack is going to lose money, market share and confidence. How much depends on their current position, but the age old adage of the bigger they are the harder they fall, seems more than appropriate to quote in this instance.
“Can they sell it, amend it or even prevent staff or customers from accessing it?” is the next point that the CPNI wishes you to consider. If the answer is ‘yes’ then you need to resolve it.
The final initial point they raise is “How damaging would the loss of data be? What would be the effect on its operations?” which is a polite way of saying, exactly how stuffed would you be should the criminally motivated gain access to your systems and data. The answer here is ‘very stuffed’ in case you hadn’t worked it out.
Advice on cyber security is readily available, just do a simple Google search and you will be presented with millions of results. The key is the provenance and respectability of that advice.
Organisations such as the CPNI have been dealing with levels of threat and security that most of us are blissfully unaware of. When they start to discuss cyber security then we would all be foolhardy to ignore them, but will we take it? Will companies genuinely start to address these challenges? If this advice doesn’t ring true and at least start the discussion then I don’t know what will. Maybe one final jog along the beach might help with these points going over in your mind, just don’t’ trip over the protected cable.