Checking on the effectiveness of your security measures during transformation
Digital transformation is all around us. We are all being encouraged to buy into it - from the largest corporations down to the smallest households and even private individuals. It is all about taking advantage of the cloud, of linking everything together, of reusing valuable information to make it more cost-effective, and much more besides. It is the nirvana that many have discussed since the early days of computing in the 1970s and 80s. Automation follows on with the control of our homes, cars, offices, systems becoming increasingly driven by computers rather than humans. Indeed, in his book 21 Lessons for the 21st Century, Yuval Noah Harari paints a remarkable picture of humans essentially writing themselves out of existence with all human activity being replicated much more efficiently and effectively by computer algorithms. (An algorithm is a sequence of commands repeated methodically by a computer or similar.) Should Yuval’s vision come about, it has, incidentally, the additional benefit of avoiding all issues related to human confrontation.
Whether or not we think that is likely is debatable and open to many interpretations, but one thing is sure. As long as we continue down the current path of linking, sharing, combining, moving and storing information in the ways we are now, the availability of the information will increasingly come into conflict with the security of the information. Criminals are only too aware that these processes are taking place and they are now sufficiently expert at seeing the ways things are going in order to develop ever-more sophisticated tools to highjack information and the systems on which it is utilised.
There has always been a tension between security and availability, and this becomes most evident when digital transformation is concerned. The requirement to share information, be it as documents or videos, from monitoring or controlling, makes the security of that information ever more difficult. The security of that information some might argue is not critical but consider the case of a simple baby alarm that utilises the internet to make its connections for its monitoring activities. Whilst the data itself might be considered fairly trivial, children’s or parents voices, if a criminal was able to hack into the system and record the traffic or, worse, be able to generate their own information on that system, the results could be very serious. At the most trivial, if the criminal was able to hear sounds in the house, they might hear a front door being closed and then silence meaning that the house was empty and ripe for burglary.
It is clear, therefore, that checking on the effectiveness of the security measures that have been put in place is now even more critical than ever before. The Cyber Defence Capability Assessment Tool (CDCAT®), developed by Dstl on behalf of the MoD about 10 years ago, provides the facility to check the effectiveness of the security capabilities in place very quickly for any system. This allows those responsible for the security to ensure their money is being spent in the right places as well as ensuring their systems are defended to an appropriate level. It must be remembered that not all information can or should be protected to the same degree. The “crown jewels” may need a lot of expensive protection whilst other less significant or sensitive information can be covered by less stringent measures. This tool can be scoped to suit any system, of any technology and in in any location and, usually within about half a day, provide an extensive report about how well things are working as well as advice on how to improve the situation.
That facility allows the assessment of the cost-effective use of a wide variety of security capabilities, including physical and procedural, to ensure the information is correctly and appropriately protected. It can also be used on a paper system, a system in design before it goes live, thereby helping to ensure there are fewer security issues after the system is online. Any security professional and business manager should be keen to understand how well their security is working and where they should be spending more (and less) money, time and effort.
CDCAT® is a registered trade mark of Dstl. All rights reserved.
Andy Taylor, APMG Cyber Assessor