Cyber-Security must be Top-Down and All-Pervading
David Snowden
Lead Business Analyst | Business Transformation | IT Project Manager | Technical Author/Writer
There is a dawning suspicion among both the private sector and the public that even with the most advanced encryption the internet will never be sufficiently secure for the most sensitive data. The debacle over the San Bernadino gunman’s iPhone has shaken many I have spoken to who thought that technology could make them safe. Leaving aside the legal and ethical considerations (which the legal systems of the world will have to sort out by test cases in coming years) the question comes down to this: will there ever be a technology that cannot be unravelled by an intruder if the incentive is there? At present the answer seems to be: "No".
Does this mean that sensitive data will have to be transmitted in other ways? Are we going to see the re-emergence of bank messengers and military despatch riders? Should we be buying shares in paper mills? Where does that leave the UK government’s "Digital by Default"? We have a client who reverted to paper-based operation until he could design and install a closed dedicated messaging system. Will this be the way forward? As banking becomes increasingly a digital business this might be the only way to reassure customers that their details, and their money, are being protected.
It is not too far-fetched to imagine a secure intranet being set up and managed, possibly by the Cyber-Innovation Centre at GCHQ, to allow UK businesses, banks and government to trade with each other in a closed environment outside the internet. However, where does that leave the man-on-the-street? There is an individual judgement to be made here: am I prepared to accept the level of risk involved for the convenience of transacting on-line? Having adequate insurance against losses moves the balance of the argument toward "yes". We have to get used to the idea that there are no guarantees.
Since I began working on eBusiness in 1995 organisations have generally considered Cyber-security to be an ICT issue – "our IT department does all that" – and it is only within the past five years that it has begun to be recognised as a matter of corporate governance and the responsibility of everyone in the organisation from the C-suite down. Directors and senior managers take the lead, embedding best practice in the corporate standards and strategies and cascading those down to every employee. Cyber-security is now as important at the monthly sales figures for most businesses, even if many do not realise it. Showing customers that the business or other organisation is taking every reasonable measure to minimise the risk to them will help build confidence in the organisation and encourage customers to transact on-line.
I will close with an anecdote: a major City business carried out a redundancy exercise during the recession, eliminating a complete layer of management. One manager in the IT department was allowed to work his notice (generally considered to be a bad idea!) and one evening visited the eighth floor to check an equipment closet. As he passed the CEO’s office he noticed that the CEO‘s password was stuck to the screen on a sticky-note (incidentally the staff handbook listed this as a disciplinary offence). He sat down, logged on and emailed redundancy notices to the entire board, logged off and went home. The point of this story is that even if there were such a thing as wholly secure technology that fallible component called a human being will find ways to compromise it and that is why Cyber-security must be top-down and all-pervading.
Managing Director at Initiative Homes Ltd
8 年The human factor has always been true even in zero tech - like the post room worker who passed information to a competitor - but the story that came to mind was that of the code breakers at Bletchley Park during the war. One of the great break throughs came when Alan Turing realised that people are predictable in their behaviours so there will always be a pattern to find... hence a way into the code key. The other point you made is that the tech can cut both ways. If we ever get perfect security, our information will be safe for ever, but so will the crooks and terrorists. So, for me a little techie insecurity is probably not an entirely bad thing. Instead, we all need to realise that, like most other things in business (and life) it comes down to having great relationships with great people. Oh yes, and loyalty - both ways.
Lead Business Analyst | Business Transformation | IT Project Manager | Technical Author/Writer
8 年thanks for that tip, Dave. will be in touch. David
Information Systems Security Auditor at Bulletproof, a GLI Company
8 年Thanks for this blog I really enjoyed the read and the anecdote. One area that a colleague of mine is very interested in is Distributed Ledger technology which I am sure you have heard about, if ever adopted fully could help keep information secure by actually spreading out the information in blocks rather than putting it all behind a GCHQ second-life for want of a better analogy at this time. My colleague is John Beddard so do get in touch with him to learn more, it is not a sales thing as we are years away from it being commercialised. Thanks again. Dave.
Principal Information Security Consultant at C3IA Solutions Ltd
8 年Great article! Total security is unrealistic, regardless of what processes or technology is in place. Any system can be compromised if the attacker is sufficiently smart and motivated, and technology cuts both ways. The key is to raise the security bar high enough that an attacker views it as not worth the effort. To do this, we have to take a pragmatic and risk based approach to where we spend our money. Integrating the risks at board is a massive leap forward: there are no cyber risks, only business risks with cyber causes!
Lead Business Analyst | Business Transformation | IT Project Manager | Technical Author/Writer
8 年Fully agree with both comments. Training needs to lead to a cultural change embracing everyone in the organisation.