Does ensuring compliance ensure your cyber security defences are robust?
Standards and legislation have long been seen as a way of ensuring people and organisations reach and maintain a specified level in any chosen area be that quality, engineering, security, safety or any number of other areas in business. There are far too many standards available in cyber security to list here but each has its own role in the marketplace and each assists in achieving an appropriate level of cyber security in the relevant and specified place. The ones perhaps most commonly seen in the UK are ISO27001, PCI DSS for card payments and Cyber Essentials for the general business community but there are many others, some for the more specialised industries for example.
There are also plenty of guidance or framework documents such as the UK government’s 10 Steps to Cyber Security aimed at larger organisations. These frameworks provide a useful way of ensuring there is good level of cyber security in place without the hassle of an independent audit although that in itself clearly carries risks. Last and by no means least there is also legislation. The most notable one getting all the news lately is the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018, and the associated UK’s Data Protection Act yet to clear parliament but likely to be in a similar timeframe.
One major risk with compliance, with guidance and to some degree legislation is that may be the IT department think they have done all the right things and tell the bosses all is well whereas an independent audit might find some of the controls not well implemented leaving risks or vulnerabilities to be exploited. In the case of guidance that’s frustrating and might lead to a successful attack. In the case of legislation (and the GDPR in particular) not doing the right things could lead to huge penalties which any sane organisation would want to avoid. A maximum of up to 4% of gross annual worldwide turnover (that’s not profit) or 20 million euros, whichever is the greater, may be theoretical but I wouldn’t want to test the ICO’s resolve.
There has, however, always been a danger with compliance that the view is taken within an organisation that once the box has been ticked, the standard has been met, that is good enough and it can then be forgotten, at least until the next painful audit. The auditors are, to some degree, at fault in part because they too are often happy to accept the situation where the requirement has been met, without asking for further evidence of how well the requirement is working in a company. This can lead to a feeling of doing it because the standard says so rather than because it is good practice for the organisation, the business or the person.
In the 1980s there was a much stronger badge collecting culture than perhaps there is today. In those bad old days, the badge was all that was wanted and so, provided the auditor could be convinced (by hook or by crook) that the requirement was met, then all was well and the badge was proudly displayed. This led to some strange certifications – the company who had achieved ISO9000 (as it was then) for the purchase of one particular item, often referred to, probably apocryphally, as toilet rolls and yet their main business was something entirely different. Still they were able to display their ISO9000 certification and proudly claim they were a quality organisation.
Pleasingly, that situation is much less common today although I am sure it still happens at times.
In cyber security (and in most other standards-based systems as well) it is simply not good enough to do very little between audits thereby expecting the world (and the criminals in particular) not to attack because of a cyber certification held by the organisation supposedly protecting it like a magic forcefield. Cyber certification is an excellent starting point and will be an essential part of developing the appropriate culture within the organisation. Getting people to look at, read and ultimately sing from the same hymn sheet is a crucial part of the security culture required in an organisation. Once the culture is starting to develop then maintaining the certification is likely to become normal practice. People are aware of the risks and vulnerabilities and so will take appropriate actions to address them or mitigate them.
This applies equally to following guidelines, use of a framework and similar ways of ensuring standards. If the culture of the organisation considers cyber security in virtually everything they do, there is far less chance of a successful attack. But we cannot always rely on people to do the right thing. Training them and making them aware of the policy in the organisation and trying to instil the security culture in an organisation, is all well and good but people will still make mistakes, sometimes intentionally if they are so inclined.
In the recent report from IBM and the Ponemon Institute on the costs of data breaches in 2017, they state that more than half of the breaches identified were caused by insiders or system glitches. They also state that about 40% of the indirect cost of an incident (which is usually at least half of the total cost), whatever the cause, is in lost business – basically loss of customer loyalty. It is well known how difficult it is to gain new customers and so the idea of losing them is clearly not a good one. All marketers talk of retaining and maintaining the current customer base. Having to start again getting new customers is not a good prospect.
It is therefore paramount that a security culture is embedded into an organisation so that the cyber security certification achieved, be it fairly simple like Cyber Essentials or through more comprehensive certification like ISO27001, is then maintained as normal practice. If it is a framework that is being used as the basis of the work then again this needs to be embedded into the culture of the organisation - from the very top of the shop to the lowliest workers. It is always the weakest link in the chain that breaks and that could just as easily be a cleaner as a Managing Director. Although it must be said that there is quite a lot of evidence to show that senior staff are more likely to make mistakes by clicking on phishing emails, opening fraudulent documents sent to them or something equally foolish than their staff are. The compliance approach, ensuring the standard, framework or guidelines are being adhered to, helps to reduce that likelihood because it helps to build the security culture. It is essential the cyber security in an organisation is demonstrably driven from the very top - not least because the people at the top are perhaps at higher risk than the more lowly workers.
So in summary, use a framework, industry specific guidelines, or a recognised standard to check that what you are doing in cyber security is the right stuff. Cyber Essentials is achievable and highlights a basic set of requirements any business or organisation can achieve and that should be the start point.
Check regularly to ensure that you are not just doing the right things (are compliant) but that you are doing them properly – that means they are working effectively. And then make sure that there is a culture of continuous improvement. This will help to raise the standards and so reduce the risk of a successful attack. Using an assessment of the maturity of the implementation of the security capabilities is an excellent way of checking and this should be done using a tool or system that is well-founded on real-world evidence and independent of personal bias or subjectivity. APMG can offer such a service using their Cyber Defence Capability Assessment Tool or CDCAT® which was developed by Dstl and the MOD.