In the second of five blogs on megatrends, Rob Noble speaks about how broad issues around tech risk and cyber security threats have become, given our reliance on everyday tech.
Technology advances and the rise of the individual drives a need to secure new areas of vulnerability. However, this need to secure things must be balanced against the need to remain open to do business, or otherwise operate, and flexible enough to respond to the next threat. Everyone with a smart phone has the ability and perceived right to bank, communicate internationally and access work-related commercially sensitive information, whether in a café, on the train, or simply walking down the street. But many people fail to remember that these devices have the capacity and desire to continue to communicate, even when the owner may be unaware. Equally, data stored on the device could be accessed by an unknown third party, and employers may be employing people who are viewing inappropriate content whether that be false or illegal.
MEGATREND 2: CYBER THREATS ON PERSONAL DEVICES ARE A TECH RISK
How can we be vigilant when we don’t know who is watching?
Those who have reason to protect their personal security may need applications or new hardware to ensure their movements are not visible to others. That said, as with so many other security risks, the weak point in the system is often the human being. Posting information about their location to social media, even if the device is not tracking them, can assist someone with illegal intent to prepare for or carry out their plan. Kim Kardashian reportedly shared information not only about her location, but also the jewellery she had in her hotel room on the internet. But used correctly, the ability to track people overseas who have in effect been provided with an emergency beacon can be a hugely beneficial to a company operating in austere environments. This does of course require the individual to maintain a charge in the battery!
Whether not allowing employees to take devices to certain parts of a site or not allowing the devices to link to the networks at work, organisations need a tech risk policy and or physical means of controlling devices. Those seeking to break in to a network will work undaunted and seek every vulnerability, whilst risking being caught if the prize is believed worthy of the effort.
The Office of National Statistics estimated there were 3.8 million instances of cyber-crime in the 12 months to June 2016. In the three months after it was created the National Cyber Security Centre (NCSC) reported that the UK had been hit by 188 high-level attacks, serious enough to warrant NCSC involvement. Security managers in businesses or other organisations must now prepare the team to take precautionary or revisionary actions in response to a breach of a network, in the way that they previously had to respond to someone gaining access to the floorplate without a false security pass. Equally, thought must be given to what devices individuals are able to access work-related information on from home in these days of flexible working.
Education is critical. All of the individuals in the organisation must realise that their communications, whether voice or data, may be monitored by those with illegal intent. Ensuring the previous commercial meeting is not discussed until clear of the building may remain critical, but it is no longer just the conversation in the local cafe that is vulnerable. It may now be the car-phone conversation, email or other form of communication that is intercepted.
The protection of intellectual property is critical in an interconnected world, where the industrial practices and manufacture capability in many countries is so similar. With key information from a competitor the copying and manufacture of technology devices, luxury goods or key infrastructure-related equipment is possible to create significant commercial advantage. Organisations may now need both physical and cyber security to protect against loss; they will want insurance, and assurance, to potentially recover from loss; as well as the capability to screen employees to mitigate the loss.
Cyber threats are also a concern at national and government level, and drive a need for collaboration at national and international levels. Whether the technology that keeps aircraft in the air over our city streets, allows vehicles to brake and drive autonomously on motorways, or military equipment to function in combat, all is susceptible to attack with potentially severe consequences. Likewise, banks and other critical commercial functions must be protected to ensure they are not corrupted or shut down; with increased latency in trading systems slowing the reaction to an algorithm, and firewalls potentially reducing collaboration.
Therefore, the task of the security manager is complicated further, because any security introduced to the technology of an organisation must be proven not to impact competitive advantage or support for it will be lost. And with technology the greatest threat comes from those providing security publicly or privately not investing sufficiently in research and development, and thereby opening the door to those with illegal intent.
It may seem desirable but too expensive to protect against cyber-threats, but some form of protection is essential; and where education in avoidance can be included in a package of measures, the greatest asset rather than liability can become employees. The cyber-criminal could be spending nearly a year creating their attack; identifying vulnerabilities, covering their future tracks and picking the perfect time when an organisation is distracted. But has that organisation spent the same year preparing and protecting, and most importantly has that organisation got the resilience to spend a year recovering?
Cyber and tech risk can contribute directly to the volatility, uncertainty, complexity and ambiguity that organisations experience. The recent experiences of medical and other state organisations around the world hit with the ransomware attack that so seriously impacted the NHS, were of added complexity to their ongoing operations as they lost trust in systems; which was compounded by the uncertainty over how long the attack would impact them for, and to what extent. But what of the seed that has been planted in those systems for the next attack, or the vulnerability identified that will make things that bit easier or damaging next time. As always the attacked have to lucky every time, the attacker potentially just once.
In response to the feedback of our client base and the impact of the increasing complexity of tech risk that faces international businesses and other organisations, we have created Chelsea Group Security and Crisis Management. This brings together the long-standing capabilities of Hart Security Limited, specialist in the delivery of innovative, integrated security solutions in complex areas and Security Exchange, specialist in the prevention, management and recovery from critical security incidents worldwide.
Rob Noble is the Executive Director of the Chelsea Group Security and Crisis Management Division.