There are many security issues to worry about as an organisation or business. Let’s list some of them:
- insider threats
- employee incompetence
- unpatched systems
- patched systems that you didn’t test properly
- zero-day attacks
- state actor attacks
- code quality
- test quality
- operations quality
- employee-owned devices
- advanced persistent threats
- data leakage
- official wifi points
- unofficial wifi points
- approved external access to internal systems via VPN
- unapproved external access to internal systems via VPN
- unapproved external access to internal systems via backdoors
- junior employees not following IT-mandated rules
- executives not following IT-mandated rules
I could go on: it’s very, very easy to find lots of things that should concern us. And it’s particularly confusing if you just go around finding lots of unconnected things which are entirely unrelated to each other and aren’t even of the same type. I mean: why list “code quality” in the same list as “executives not following IT-mandated rules”? How are you supposed to address issues which are so diverse?
And here, of course, is the problem: this is what organisations and businesses do have to address. All of these issues may present real risks to the functioning (or at least continued profitability) of the organisations. What are you supposed to do? How are you supposed to keep track of all these things?
The first answer that I want to give is “don’t get distracted”, but that’s actually the final piece of advice, because it doesn’t really work unless you’ve already done some work up front. So what are my actual answers?
1 – Perform risk analysis
You’re never going to be able to give your entire attention to everything, all the time: that’s not how life works. Nor are you likely to have sufficient resources to be happy that everything has been made as secure as you would like. So where do you focus your attention and apply those precious, scarce resources? The answer is that you need to consider what poses the most risk to your organisation. The classic way to do this is to use the following formula:
Risk = Likelihood x Impact
This looks really simple, but sadly it’s not, and there are entire books and companies dedicated to the topic. Impact may be to reputation, to physical infrastructure, system up-time, employee morale, or one of hundreds of other items. The difficulty of assessing the likelihood may range from simple (“the failure rate on this component is once every 20 years, and we have 500 of them”) to extremely difficult (“what’s the likelihood of our CFO clicking on a phishing attack?”). Once it’s complete, however, for all the various parts of the business you can think of – and get other people from different departments in to help, as they’ll think of different risks, I can 100% guarantee – then you have an idea of what needs the most attention. (For now: because you need to repeat this exercise of a regular basis, considering changes to risk, your business and the threats themselves.)
2 – Identify and apply measures
You have a list of risks. What to do? Well, a group of people – and this is important, as one person won’t have a good enough view of everything – needs to sit down and work out what measures to put in place to try to reduce or at least mitigate the various risks. The amount of resources that the organisation should be willing to apply to this will vary from risk to risk, and should generally be proportional to the risk being addressed, but won’t always be of the same kind. This is another reason why having different people involved is important. For example, one risk that you might be able to mitigate by spending a £50,000 (that’s about the same amount of US dollars) on a software solution might be equally well addressed by a physical barrier and a sign for a few hundred pounds. On the other hand, the business may decide that some risks should not be mitigated against directly, but rather insured against. Other may require training regimes and investment in t-shirts.
Once you’ve identified what measures are appropriate, and how much they are going to cost, somebody’s going to need to find money to apply them. Again, it may be that they are not all mitigated: it may just be too expensive. But the person who makes that decision should be someone senior – someone senior enough to take the flak should the risk come home to roost.
Then you apply your measures, and, wherever possible, you automate them and their reporting. If something is triggered, or logged, you then know:
- that you need to pay attention, and maybe apply some more measures;
- that the measure was at least partially effective;
- that you should report to the business how good a job you – and all those involved – have done.
3 – Don’t get distracted
My final point is where I’ve been trying to go with this article all along: don’t get distracted. Distractions come in many flavours, but here are three of the most dangerous.
- A measure was triggered, and you start paying all of your attention to that measure, or the system(s) that it’s defending. If you do this, you will miss all of the other attacks that are going on. In fact, here’s your opportunity to look more broadly and work out whether there are risks that you’d not considered, and attacks that are coming in right now, masked by the one you have noticed.
- You assume that the most expensive measures are the ones that require the most attention, and ignore the others. Remember: the amount of resources you should be ready to apply to each risk should be proportional to the risk, but the amount actually applied may not be. Check that the barrier you installed still works and that the sign is still legible – and if not, then consider whether you need to spend that £50,000 on software after all. Also remember that just because a risk is small, that doesn’t mean that it’s zero, or that the impact won’t be high if it does happen.
- Executive fashions change – and not just whether shoulder-pads are “in”, or the key to the boardroom bathroom is now electronic, but a realisation that executives (like everybody else) are bombarded with information. The latest concern that your C-levels read about in the business section, or hears about from their buddies on the golf course may require consideration, but you need to ensure that it’s considered in exactly the same way as all of the other risks that you addressed in the first step. You need to be firm about this – both with the executive(s), but also yourself, because although I identified this as an executive risk, the same goes for the rest of us. Humans are generally better at keeping their focus on the new, shiny thing in front of them, rather than the familiar and the mundane.
You can’t know everything, and you probably won’t be able to cover everything, either, but having a good understanding of risk – and maintaining your focus in the event of distractions – means that at least you’ll be covering and managing what you can know, and can be ready to address new ones as they arrive.
1 – let’s be honest: there are lots if you’re a private individual, too, but that’s for another day.
2- I did this on purpose, annoying as it may be to some readers. Stick with it.
3 – not to mention the continued employment of those tasked with stopping these issues.
4 – note that I didn’t write “everything has been made secure”: there is no “secure”.
5 – and, to be picky, this isn’t as simple as it looks either: does that likelihood increase or decrease over time, for instance?
6 – did I say “extremely difficult”? I meant to say…
7 – you can try standing, but you’re going to get tired: this is not a short process.
8 – now that, ladles and gentlespoons, is a nicely mixed metaphor, though I did stick with an aerial theme.
9 – this is a gross generalisation, I know: not all executives play golf. Some of them play squash/racketball instead.