This page contains a Flash digital edition of a book.
ation:


It is the security of information in all its forms which presents one of the key challenges. Personal and commercial information is the new commodity of choice of today’s virtual thief.


A new global market exists where stolen information is traded as a precursor element to commit fraud. Importantly, only a portion of this is being stolen through technical attack of IT systems, the rest is literally walking out the door through the risk posed by the ‘Insider Threat’.


It is happening wherever this information is available, which may include cloud servers or any repository within increasingly sophisticated hardware and fragmented supply chains. Once accessed by the cyber thief, this information is harvested and if necessary refined through open source research and intelligence-led information gathering, using either traditional contact by telephone or email and sometimes further targeted technical attack. However, millions of pounds are also being lost on a weekly basis through compromised account information that has obviously come from a source within apparently secure systems.


Cyber Crime, Cyber Warfare, Cyber Terrorism and Hacktivism are expressions often used to describe the motivation rather than the capability of a threat group.


We assume the intention of the attack from the known outcome or what happened as a result of the breach. For example, Hacktivism is widely publicised as its motive is to overtly disrupt and it is inevitably associated with publicity. By the same token criminally motivated attacks are uncovered through fraudulent losses.


However, the real concern for us all should be those infrastructure breaches, which are intended to remain undiscovered. The absence of intelligence or knowledge concerning the nature or existence of the threat does not mean it does not exist.


You see an indication of this through the Reuters Report in August 2013 which highlighted that more than 50% of world securities exchanges have been subject to cyber attacks, mainly through denial of service attacks with increasing levels of sophistication. More importantly, back in 2010 hackers infiltrated the NASDAQ and installed malware


© CI TY S ECURI TY MAGAZ INE – SUMMER 2014


which enabled them to spy on the directors of publicly held companies. Within the UK our security services have publicly highlighted similar threats to large corporates following covert cyber attacks aimed at gathering highly sensitive commercial information.


We have to recognise that information is the commodity and we need to protect it, depending on its level of importance. One of the first challenges, therefore, is to properly map the information that your organisation holds, both in terms of how valuable it is to others, as well as your own business, and then also to risk assess how it is stored and accessed.


This isn’t simply about appropriate firewalls and technical infrastructure; it is more about a culture shift towards the management of information with a focus on people, their access and their approach to this information.


The UK Government launched its own National Cyber Security Strategy two years ago and has invested a great deal to help businesses combat the threat, with a number of useful guides being produced. ‘10 Steps to Cyber Security’ and a similar guide for SME businesses are available for download on the Government’s website.


Alongside this there are standards, which an organisation can choose to adopt.


Understanding the maturity of your own security model is the key. Members in the public sector in the UK are following the Information Assurance Maturity Model and Assessment Framework (HMG IAMM), with the majority of private sector members following ISO27001. The British Standards Institute has recently updated its 27001 Standard (from 2005 – 2013) and, due to ongoing interest from companies wishing to protect themselves, has also recently published a fast track Publicly Available Specification (PAS 555:2013 – Cyber Security Risk – Governance and Management) which documents some of the outcome requirements of a protected system.


So, good practice is becoming available, but to get this right requires a shift of approach in terms of governance, starting at the very top. The first is the recognition that the


whole organisation has to be involved – every department, every person and every process.


This cannot be converted into an action plan and a series of tick boxes and discharged or delegated to someone else’s responsibility. It will need resourcing and managing carefully and intrusively. The only way for this to be managed effectively is through a series of governance processes that start with the Chief Executive and involvement of the Board.


Effective mapping and risk assessing every repository of information and how it is made available will take time and effort, particularly when this involves complex outsourced supply chains, as will involving staff and raising their awareness; and, most importantly, so will changing the paradigms around information access and its use that have accompanied us from the analogue world.


Success in terms of cyber security is simply this. Your information is secure.


Whilst governance and compliance with known standards are an excellent means of achieving this, it is not in itself the answer. The only way you can be certain your information is secure, is by asking someone to try and steal it. The good news is that there are now Government accredited security testing schemes that can be accessed by private businesses. Good examples of these can be found at www.tigerscheme.org and www.crest-approved.org.


The necessary change in culture involves routine system penetration testing by third parties coupled with intrusive internal surveillance systems, monitoring technical infrastructure and, I’m afraid, monitoring people as well. This is why appropriate measures across what is an enterprise risk will naturally involve the whole organisation. Staff need to understand the change, but better informed will also be best placed to help to close down the risk. All of this is going to involve additional resource.


Protecting your business in terms of cyber security is achievable but not without a significant change taking place.


Adrian Leppard, QPM Commissioner – City of London Police


www.cityoflondon.police.uk > 3


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40