SECURITY SIZE MATTERS
High-profile IT incidents involving household names have shown that bigger isn’t always better when it comes to digital security, argues Andy Barratt, UK Managing Director at cybersecurity consultancy Coalfire.
It seems barely a week goes by without the world’s news channels breaking the story of a major cybersecurity incident affecting yet another household-name company. In the modern age, no business is safe – either from external threat or from itself.
The IT saga that engulfed TSB this summer, and ultimately cost the bank’s CEO Paul Pester his job, shows how a big business can cause itself a monumental headache through poor risk management.
Bank customers were left without access to their digital accounts for weeks as TSB tried to migrate their details across to a new IT platform. When IBM was called in to restore order, it quickly became apparent that insufficient testing had been carried out in advance to ensure the transfer process would run smoothly.
But how could this happen to a business with presumably vast IT security resources?
It’s worth noting at this point that TSB’s issue was not caused by malicious intent or outside interference. However, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.
And, while in this case the issue presented itself in the form of a digital banking failure, there’s nothing to say that the breach or failure of a building management system couldn’t bring a business to its knees with similar force. Imagine the financial impact of an entire shopping mall or business park being locked down or brought to a standstill by hackers.
Corporates miss security sweet spot The answer is that behind the curtain – and contrary to accepted wisdom on cybersecurity – large organisations are often not the best prepared to protect themselves against cyber risk, despite having greater resources.
Coalfire recently conducted its inaugural Penetration Risk Report, which involved simulating planned cyberattacks – a practice known as penetration testing – against businesses across the financial services, retail, healthcare, and tech and cloud services sectors to identify weak spots in their security armour.
Perhaps surprisingly, we found that large enterprises were not the most secure. Instead, it was mid-sized firms that found the sweet spot in terms of protecting their assets and mitigating their security risks.
So why doesn’t bigger spend always correlate to improved security?
46 | TOMORROW’S FM
Culture shocks Often in large organisations, there is a mindset that the board doesn’t want to know about a problem, so risks are constantly re-framed and cracks painted over.
Consequently, senior executives often don’t have visibility of deeply-rooted issues and, ultimately, make decisions that don’t factor those risks in. This can be particularly unhelpful when businesses are looking to innovate (e.g. installing a new access system) as investment in new technology is hamstrung by existing technical challenges.
In the worst-case scenario, this disconnect between boardroom and shop floor can leave businesses paralysed and senior spokespeople fronting up to the media with little understanding of the issues that have embroiled their company in controversy.
With that in mind, FMs must become comfortable communicating the risk their systems pose to higher powers.
Partner networks Large businesses can also be put at risk due to the security shortcomings of the many partners they work with. This issue was evident when Ticketmaster was subject to a supply chain attack earlier this year. In this case, hackers used code supplied by Ticketmaster’s chatbot operator to extract payment details from its website after the code in question was incorrectly repurposed by Ticketmaster’s in-house team.
Similar activity was likely at play for the British Airways data breach, where the financial data of 380,000 customers was lifted live from its website, most likely via third party code. BA is a regular participant in industry forums and best practice initiatives, and yet has still been affected, highlighting the risk big businesses face through their extended network of partners.
Like most large consumer-facing businesses, airlines are at risk of attack because they frequently rely on complex infrastructure and shared services provided by third parties. Many simply don’t meet the security compliance rules we set here in the UK.
For businesses of this size, resilience in the face of an attack is the modern approach. Always assume that someone will find a way in. Responding to that quickly will enable you to minimise loss.
To err is human The risk that human error poses to large organisations is somewhat unavoidable given the number of people they
twitter.com/TomorrowsFM
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74
