Cyber Due Diligence: The New Normal
In all likelihood, cyber security capabilities will continue to lag behind both evolving digital technology and the accompanying evolution in exploitation tools and techniques. In addition, network defenders are required to stop every attack whilst hostile states, criminals and activists need only get lucky once. Technology is already ubiquitous, think how many times you have interacted with a computer today – contactless payments, your phone, vending machines, even your car. With the rate that Artificial Intelligence (AI) and the Internet of Things (IoT) are developing it won’t be long before we are all connected in almost every aspect of our lives and technology will blend seamlessly with our work and recreation.
With this exponential growth in connectivity and with ever more details of our lives stored and shared online, the cyber threat has grown from what used to be one of inconvenience and occasional extortion. It is now a big business opportunity for criminals, a method of warfare for nation states and a powerful political messaging platform for activists. All of these actors (and more) present a potential threat and may have an interest in disrupting your business and/or personal online activities. Just take a few seconds to think about how your business would cope without access to your critical functions or data for a day? A week? A month?
Bearing all this in mind, why do we continue to embrace the digital revolution at the rate we are, whilst dragging our feet in implementing often the most basic security controls? In our home lives, we give more personal data to Google than we’d share with our closest friends, and watch on as our families share their lives via social media. In business, we believe that an attack won’t happen, or if it does then it won’t be that bad. Companies may only really consider their cyber security approach in detail during an attack, at which point it becomes expensive and disruptive to fix – try installing a fire alarm during a fire! Why don’t we give our cyber security the attention it deserves? The answers may be ironically similar to the reasons we are drawn to these technologies in the first place.
- Performance: “it will slow us down”
- Costs: “we can’t afford the investment”
- Availability: “too much downtime”
- Convenience: “our workforce won’t like it”
Typically, as 21st century human beings, we like to have our cake and eat it. We want all of the benefits that this incredible technology brings us without tolerating the controls that we need to use it safely and responsibly. That’s a sweeping statement of course, but in order to counter this issue the National Cyber Security Centre (NCSC) here in the UK and similar organisations around the world are working hard to encourage change and education for all. Progress is happening, but there’s a long way to go in bringing us collectively to the minimum required standard and keeping us there.
What should be the minimum standard?
We’re still hearing from executive-level employees “our I.T. people have got that covered” and “we’ve got Cyber Essentials so we’re ok”. There’s nothing inherently wrong with either of these statements provided that they are in the right context. A good quality I.T. team is vital to cyber security and Cyber Essentials self-accreditation is a sign that an organisation takes cyber security seriously. The same statements though could also be an indicator of box-ticking by a board which is yet to give the cyber threat to their business the respect it deserves. Boards shouldn’t wait until their share price has plummeted because of a devastating cyber attack before making cyber security a board-level issue.
We’ve spent many years working in secure environments, some within industry giants, and some within government facilities. In these specialist areas, for most of those years the security provisions in place have been successful and largely commensurate with the threat. Of course there have been exceptions and mistakes made, but a culture of security was ingrained into our organisations and people understood why. The workforce conformed willingly because at the heart of this culture secrets needed to be kept and lives were potentially at stake. Well, in this digital age where data is now competing with cash for the title of King, autonomous transport is on our doorstep, and our critical national infrastructure is at risk of attack, the same approach to the cyber threat could and should be embedded.
So the minimum standard must be a collaboration of controls, understanding and culture which provides robust layers of defence against both external and internal threats. It must also be versatile, dynamic and informative enough to evolve with the threat. It must extend to incident response and recovery, to ensure that plans are in place and people understand their roles and responsibilities in case the worst happens. This should now be the minimum standard against which commercial organisations comply. If we don’t accelerate wider conformity to this minimum criteria very soon, then technology will take another ‘quantum’ leap forward leaving honest and law-abiding users even further behind.
The new normal
The NCSC has published their ’10 steps to Cyber Security’ and ‘Cyber Assessment Framework’. The equivalent Australian agency has ‘The Essential Eight’ and the US the ‘NIST Cybersecurity Framework’. There is plenty of guidance available, but to have any affect it takes the will and intent of investors, owners, executives and employees to implement this guidance. Cyber Essentials, Cyber Essentials Plus and ISO27001 are a good start in terms of accreditation, however they don’t necessarily provide assurance that security measures are sufficient for the specific environment of a particular organisation. At the time of writing there is no substitute for a professional, independent evaluation. In all probability an international standard will eventually emerge from the guidance which will require conformity to a ‘new normal’ especially in certain circumstances, such as when an organisation applies for cyber insurance. This ‘new normal’ will likely be the kind of cyber security culture and approach that the international defence and intelligence communities have complied with for many years.
For investors, whether it be a potential acquisition or an existing portfolio, the question is whether you can afford to wait for a new standard to become commonplace and adopted or whether you take a more proactive approach. We would strongly recommend that, if you haven’t already, you start to undertake cyber due diligence now against the baseline of ‘the new normal’ which has been laid out in detailed non-mandatory guidance by the UK government. Just rolling out the I.T. Manager or ticking a box against CE, CE+ or ISO27001 isn’t enough for you anymore. To satisfy you and your investors that you have identified and negotiated ownership of all cyber risk in your existing and potential portfolio, a comprehensive cyber due diligence review should be conducted.
For owners and boards of businesses or organisations, the sooner you do the same and undertake a full due diligence review the sooner you will understand your risks and resilience to a threat which is only going to grow. This ‘new normal’ in security doesn’t necessarily require expensive software or infrastructure. What it does mean is that things might be a little bit less convenient, a tad slower, and your employees might complain initially about some of the restrictions. However, with commitment to cultural as well as technology change and a common set of consequence-led objectives you will adapt and be a stronger organisation as a result.
The rate of cyber-attacks has remained high in the UK for the last two years despite best efforts. The average financial impact of these attacks has increased by 400% in the same time period. This is in spite of some excellent work, particularly in the UK, to reduce the frequency and impact of cyber-attacks. Don’t wait to find out the hard way that what is currently accepted as ‘normal’ is not good enough. This is cultural, technological and business change. We must do more and keep doing more.