2020: Lessons learnt: The need for a common framework to tackle information security threats

Overview 

Over the last decade, digital technologies have transformed both the economy and society across countries and industries. Data has become the centre of this digital evolution, and a means to generate new information.  

With the release of its strategy for data at the beginning of 2020, the EU recently stated its aim to become a leader in digital technology transformation, as well as to acquire an important role in the data economy. 

To accomplish such an ambitious project, the EU is considering building a strong legal framework. Consultations on cloud computing, crypto assets, 5G, big data, and creating a digital society are currently on. If the EU is to win a leading role worldwide, it needs the support of the EU business as well to win it, before the rest of the major players build, implement, and most importantly, adapt their information security policies to a sustainable common framework.  

To capture the benefits of a better use of data, and as a result, those of newly created information and information flaws to enhance productivity and competitive markets, standardisation is required.  

The challenges 

In the area of information security and cybersecurity, a common framework is essential to tackle threats. Industry leaders such as the US, UK, and EU aim to improve their mechanisms to both ensure highest levels of information security and benefit from the data market. 

To be successful, such a framework should ensure that: 

• Information can flow within the market and across sectors. 
• Common rules and ethical values are protected and respected, especially with regards to personal data protection and consumer protection. 
• Fair access to and use of information are guaranteed. 

To secure benefits from the current digital transformation, internal strategies are being implemented through national regulations. At the same time, ISO standards are set to offer a common international framework for integration. 

Information Security has traditionally been associated exclusively with the need for a technical solution, rather than a complex management system to ensure resilience based on a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving Information Security and thus achieving business objectives. 

We live in an interconnected world. Nowadays, information systems and networks face security threats from everywhere, and threats are increasingly sophisticated. Traditionally, we have been worried about computer-assisted fraud, espionage, sabotage, vandalism, fire, flood, etc. We have recently, merely several years ago, started worrying about malicious code, computer hacking and denial of service attacks.  

In March 2020, we brought it all home. We faced new challenges deriving from the overuse of fragile Wi-Fi connectivity as well as the threat of device penetration and potential ransomware attacks through the IoT, thus causing disruption. 

A frequent issue that organisations worldwide face is the need for information and cybersecurity professionals to fill in the ever-increasing number of openings. The industry continues to suffer across all sectors from an acute shortage of experts to join the front line in the battle against bots and automated sources, as well as any alternative means used to achieve distortion or the intentional spread of misinformation. 

This raises a certain concern with regards to how quickly organisations will be able to react and adhere to any information security frameworks and, most importantly, how efficient the information flows designed will be.  

The main threats 

New threats have arisen to complement the already known ones that have also acquired a different dimension and need to be approached from a non-traditional perspective. The global industry is facing disruptions on an unprecedented scale. Conventional threats such as rolling recessions, volatility in currency, supply chain disruptions and bankruptcies acquire a whole new dimension when aggravated through modern cyber-based attacks. There is an increasing need for a consistent global response to the rising number of sophisticated attacks. Being fully prepared to face all possible challenges and prevent potential risks requires a common approach to building up security and resilience, as well as balanced cost optimisations and investment. 

The root cause for most recently identified risks lies with how digital transformation is understood or, better said, misunderstood. Most organisations consider it as a single technological event while digital transformation is multi-dimensional. There are four transformation perspectives: business process, business model, domain, and organisational transformation. 

New technologies create both significant risks and significant opportunities and organisations that implement and pursue a consistent multi-dimensional transformation are better prepared to face new challenges and prevent disruptions. Organisations that have taken their readiness for response to the next level and standardised their policies, objectives, and operations, are those more likely to find greater success and benefit from what the whole potential technology innovation can offer.  

As technology changes expand, organisations will continue to be forced to adapt and prevent an ever-increasing number of threats and disruptions. The FOMO "fear of missing out" phenomenon is likely to become a corporate trend and impel organisations to monitor social platforms out of fear missing significant events continuously.  

That would be a wrong approach; therefore, a considerable threat to ensuring productivity as well as information security and business resilience. It also underlines the need for sustainable management systems and a common framework to which systems implemented should comply, thus ensuring counterattack measures are widely applicable, and efficiently prevent exposure to ransomware, phishing, crypto-jacking, cyber-physical attacks, state-sponsored attacks, smart medical devices, electronic medical records, regulatory and legislative changes, and third parties' vulnerabilities. 

There is an urgent need to prevent hackers from exploiting probable the weakest element since the working from home challenge started in March 2020. Namely, the overuse of wireless connexions. There are important differences between mobile device wireless connections and standard network connections. Some wireless security protocols are immature and have known weaknesses. Another significant issue is backup challenges with information stored on mobile devices. It may not be backed-up because of limited network bandwidth, or simply because mobile devices are not connected at the time when backups are scheduled.  

Attacks become increasingly complex with hackers implementing elements of social engineering. Human psychology is being exploited via a variety of means including telephone calls and social media, to trick people into offering access to sensitive information.  

The right approach 

This article defends the need for a common framework to ensure information security and resilience against attacks and disruptions. While there might be a delay in establishing and implementing local regulations, there certainly is a means to adhere to best practice and to start thus implementing management systems to adapt to any potential national frameworks via complying with the international standards for Information Security and Business Continuity. 

 The ability to detect, identify, and classify the threats helps build up an efficient strategy and act on the threats systematically. Most organisations follow best practice and classify the threats as direct and indirect, so different approaches may be required to resolve the issues detected. Example of threat classification: 

• Direct threats 
• Out of date information security policies 
• Loosened human resource security 
• Incomplete asset management 
• Access control 
• Encryption issues  
• Lack of adapted physical and environmental security 
• Lack of adapted operational security 
• Changed communications security 
• Indirect threats 
• System acquisition, development and maintenance 
• Supplier relationships 
• Information security incident management 
• Information security aspects of business continuity management 
• Compliance – changes in regulatory or cultural requirements. 

This approach helps organisations to be more innovative, agile, and digital thanks to planning on business transformation initiatives as part of a solid, long-term digital transformation. It also offers a robust framework for process and business model transformations, as well as a consistent organisational transformation.  

As a part of an integrated management system, the international standards nicely link organisations' business activities to a global framework that helps reduce technological, legal and financial exposure; direct and indirect costs of disruptions as well as protect life, property and the environment; and improve the organisational capability to remain effective during disruptions and address operational vulnerabilities.  

From Business Continuity and Information Security perspective, complying management systems give reassurance to the extent of the scope defined: parts of the organisation, locations, size, nature and complexity, as well as products and services included. 

 #businesscontinuity #informationsecurity #compliance #incidentmanagement #supplierrelashionship #ransomware #phishing #cryptojacking #cyberphysicalattacks #statesponsoredattacks #smartmedicaldevices #electronicmedicalrecords

Written for IMSM