Cyber security – it’s not just an IT problem
- Cyber security is not just a problem to be tackled by the IT department
- The exposure is broad and poses a real risk at every level of operations
- Organisations need a plan to help prevent losses and a clear response ready for when things go wrong
Managing your cyber risk is not an IT problem – at least, it’s not just an IT problem. Too many organisations make the mistake of assuming that, because they have an in-house technical team, risk managing their cyber exposure is something for the technicians to worry about.
But the days when computers were just the province of the IT department, are long gone, and the public sector needs to wake up to the massive expansion of their exposure into every aspect of operations – making risk management the responsibility of all staff.
Not only do most public sector organisations have large numbers of people accessing their network on a range of devices, but they also have specific vulnerabilities because of the sensitive nature of much of the data they hold – data that is essential to the smooth running of the organisation.
Of course, the IT department can put up firewalls and build defences against an attack from outside. But it’s human error – or deliberate misuse – where the real risk lies. For example, if a local authority, hospital or school does not have an all-enterprise approach to cyber safety, private data on a service user, patient or student could easily be lost or mislaid by staff using mobile devices or accessing the network from home.
In addition, with organisations increasingly working with third parties to deliver services, it’s not just your own security procedures you need to be aware of, but your partners’ too. One weak link in the information security of your supply chain or delivery model could have disastrous consequences.
Get your strategy wrong, and at the very least you could face costly claims. Serious reputational damage is also a very real possibility.
And then of course there are the malicious programmes and hackers constantly trying to invade your technology.
The December hack of Sony Pictures Entertainment, stunned the entertainment world and prompted an investigation by the FBI.
The hack rendered the company’s computers unusable, with staff told to switch off their technology. The firm’s email systems were taken down and the network paralysed.
The hackers then leaked a bevy of information from the company, including details of private emails, unreleased films, information on actors’ salaries, payroll data and social security numbers for more than 47,000 employees.
A huge nightmare for any company to handle, not to mention the reputational fallout of suffering one of the most damaging, not to mention embarrassing, security breaches in history.
Not an isolated case
The scale of this hack was unprecedented, but new research from antivirus and internet security company Kaspersky Lab, shows that the average Apple Mac user encountered nine cyber threats during 2014, with a total of 1,499 new malicious programmes for Mac OS X detected during the year – 200 more than in 2013. And other computer systems are also being bombarded with threats.
Staff who use their mobile phones to read emails or work away from their offices, as part of a ‘bring your own device’ policy are also at risk. From November 2013 to October 2014, Kaspersky Lab warded off 1,363,549 unique attacks on mobiles, a sharp rise from 335,000 the previous year.
The stakes are undoubtedly high, and as a result, risk management needs to be thorough across all operations.
For a start, all organisations need to regularly review their IT policy and ensure that it covers everything, from how to handle data, to passwords, what constitutes appropriate web access, and how and when personal devices can be connected to the network.
Everyone needs to understand its contents, and the document needs to become a living part of the organisation’s operations, that develops with experience to reflect the changing exposure.
But, however good this document is, and however well you communicate and reinforce its contents, it is almost inevitable that there will be a breach.
Long before this happens, make sure you have clear – rehearsed – emergency behaviour for dealing appropriately with data leaks, malicious programmes and business interruption that is dovetailed into communication and business continuity planning where necessary. Your reaction needs to be as pitch perfect as your prior mitigation.
Finally, look to your limits. Examine your insurance cover and check how your cover will adapt to changing exposures as technology develops. Be aware that you could face liability claims if it is established, and in the corporate world major cyber losses are already taking down Board members.
If anything, there is more at stake in a public sector organisation – certainly enough to make sure that responsibility for risk is not left to the IT guys and a whole risk diagnostic approach is taken.