Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Active risk management: defending against the cyber storm

By Tom Salkield.

2014 started badly - by severely testing the UK’s flood defences. Information security professionals have a similarly precarious feel, as they work to continuously hold back a flood of ever more sophisticated attacks and protect their information assets. Cybercrime, like the weather, is often unpredictable, but organizations can gain a competitive advantage by making risk–based decisions and investments to focus resources and get the best return on investment to prevent costly breaches to their defences.

The coverage of the flood damage to many areas of the UK dominated the news earlier this year. The debate still rages between those who argue that more should have been invested in planning and delivering effective defences, and those who claim that the volume of rain meant there was little more that could have been done to prevent the devastation.

These opposing proactive and reactive positions can also be seen in the security industry. Increasingly, the media, discussion forums and others in the industry seem to imply that we should focus our energies on the speed and cost of remediation rather than design and investment in effective, proactive defences. Read enough and you could be forgiven for thinking that, despite the money we spend on point solutions, the industry has lost the battle with cybercriminals – and that damage limitation is the best we can do.

Organizations that have a clear understanding of the value of their information assets and build robust defences in line with their business objectives put their organizations in a more confident, competitive position. How? By adopting active risk management.

Understand the value of your information assets

Almost all boards think their company’s exposure to cyber risks is increasing – yet just a fifth (21 percent) have taken action and significantly mitigated these risks (July 2013, FTSE 350 – ICSA Boardroom Bellwether report – ICSA Group). If profits were falling or customers leaving, no business would ignore these performance indicators, and yet when it comes to a security risk, they fail to respond with the same urgency.

Perhaps it is because it is difficult to quantify ‘risk’ in a business. Unlike falling profits or customer churn, when it comes to analysing information risk, there is no number we can hang our hat on, or flashing red sign to spur a business into action. Often, unlike a flood, you cannot see it coming.

To have an informed conversation about risk, organizations need to understand the value of their information assets in real and practical terms: terms that will grab the attention of the right people, secure budget and prove ROI.

Not all risk is bad though. Risk may be necessary to fuel innovation or achieve differentiation. So any approach to proactively managing risk must be completely in line with business objectives – helping a business to do the things that will make it famous or different with a full understanding of the associated information security risks.

Understanding and managing the risk of advanced persistent threats

One of the contributing factors to a sense of helplessness is the uncertainty around how to manage advanced persistent threats (APTs). They may not act like a flood in the same way as DDoS attacks visibly overwhelm an organization’s network, but many companies fear that they are unable to give their board and the wider organization guarantees that they have not already been the victim of an APT.

If an attacker targets your business, this is not a random act like the weather. They want something you have and will use everything in their well-funded, intellectual arsenal to get it. The threats of today are characterised by the way they blend and use all available resources to compromise systems. This will typically include compromising employees with what look like legitimate requests. Attackers will collect and use what your employees and your business readily reveal through information shared on the Internet, including friends, personal interests and where and how they work, along with annual reports and press announcements.

They use this information to craft highly credible emails and web links to get that one, vital click or even trick hard-working helpline staff into sharing confidential information: then they are in. This is how many of the high-profile attacks on robust multinational companies bypassed traditional defences. This is not a deluge, but a very specific drip feed into an organization.

New forms of attack require new ways of testing defences

Organizations want to know exactly how well equipped they are to face this ever-changing threat landscape and, actively manage their risk.

Working with the security industry they can get this visibility – they can see themselves exactly as potential attackers see them, understand what attackers could learn about them online and how employees might react to speculative emails and links. Armed with a realistic picture of where they are vulnerable, companies can focus investment in the right places to actively reduce risk while maintaining business as usual.

Like the costs of clearing up after the floods, the further an attack progresses within an organization the more it costs to remediate. Unlike a DDoS attack, where it is possible to predict the real and measurable cost to the business in thousands of pounds lost per second in downtime, as well as impacting productivity, business transactions and customer satisfaction, the potential costs of an APT are far harder to quantify. So understanding how APTs work within an organization and actively managing the risk can have huge competitive and cost saving benefits.

The debate will rumble on about whether the right investments were made to protect the UK’s infrastructure and people’s homes from the unprecedented weather conditions seen last Winter. For organizations determined not to open the floodgates to cyber attacks, active risk management gives information security and risk management professionals the context and intelligence needed to ensure they invest in the right defences. It can also reduce overall technology spend and build information security and risk management maturity into the business to provide competitive advantage.

The author

Tom Salkield is Professional Services Director at NTT Com Security.

•Date: 8th August 2014 • UK/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here