RiskUKSeptember2017

More documents

Recommendations

Info

Defending The Digital World The world has always been unfortunate enough to harbour thieves, spies and vandals, but digital technology has changed how those individuals operate as well as the environment in which they work. This is undoing assumptions that have been the basis for our approach to security for decades and forcing us to develop a new way of thinking when it comes to protecting ourselves and our businesses. Here, James Hatch elaborates on the fine points of detail Discussion of digital technology has tended to focus largely on the Internet, but the new world we’re building is based on the much broader application of such technology. Miniaturisation of electronics continues to drive adoption as new applications become more cost-effective. Through this increase, we’re adding instrumentation capable of producing digital data for many aspects of our lives, from smart meters in our homes through to the GPSequipped smart phones in our pockets. At the same time, the reusability of software is adding intelligence and decision-making through automation and machine learning – technologies that have been well understood since the 1990s, but are now being set loose by the availability of increased computer processing power. Cloud technology and mega-scale Data Centres are enabling the collection and analysis of massive amounts of data to provide services, operate businesses and Government, conduct research and tackle crime. The direct impact on our economy has long been recognised, and particularly so in the areas of e-commerce and online retail. A higher proportion of the UK’s economy is online than is the case in other major nations. Now, digital technology is allowing firms like Uber and Airbnb to transform the taxi and hotel industries even though they operate in fundamentally physical markets. Gartner is predicting this process of digitisation will spread through every part of the economy. The impact on social and political discourse has become more apparent over the last year or two. Digital technology allows people to meet and maintain contact independently of physical location, meaning that we spend more time engaging with people who are like us rather than near us. Also, we increasingly rely on digital media for our information in place of TV and the printed word. Facebook is now the world’s largest distributor of news. Of late, we’ve seen the impact of these trends on politics. As both data-targeted campaigning and ‘grass roots’ online organisation have increased and political debate has been fragmented among social media echo chambers, it has become ever-more difficult to understand and forecast the intentions of voters. The potential for hacking, leaking and other information operations to influence elections has now become clear to the public. We can also see big changes coming in the physical world. Connected devices allow us to create smart homes. Driverless cars are just around the corner. Industrial companies are seeking productivity improvements with initiatives such as digital oilfields and the digital railway. As consumer technology becomes more and more personal to us and our bodies, so it will merge with digital medicine coming out of hospitals. Thinking about security For most people and many institutions, their mental model of security hasn’t kept pace with the changes in our world brought about by digital technology. The established models of security have worked on a clear division of responsibility that’s best understood in physical terms. As organisations and individuals, we protect our property using risk management and, often, do so informally. We decide how much to spend based on the value of assets and the threat we perceive in terms of where they’re sited. A jewellers shop in a big city will spend more on security than a bakery in the country, for example. When criminals break through protection mechanisms and we’re burgled or robbed, we seek help from law enforcement to defend ourselves. The division of responsibility is clear. We expect Government to help when something goes wrong, but we accept that it’s our job to 56 www.risk-uk.com
Cyber Security: Risk Management in the Digital World ensure that our property is properly and adequately protected in the first place. This is the world we live in and understand, but it’s only a part of security. There’s another world of security: national security. We expect Governments to maintain the intelligence and surveillance capability to know what’s going on in the wider world and the military capability to deter or deal with any aggression that comes from beyond our borders. There are places where these two worlds overlap, such as in foreign-inspired domestic terrorism, but the challenge involved merely illustrates how separately we can maintain the distinction. As businesses and private individuals, we rely on physical distance to keep these two worlds apart and on Governments to manage global threats. We expect the national security apparatus to maintain a physical barrier between threats in the Middle East and a domestic business in an English town. Individuals and businesses have concentrated on local protection. This form of thinking persists in approaches towards cyber security. Now, the increasing prevalence of digital technology is making physical distance irrelevant. As more of our world is connected, geography becomes less relevant and distance is almost useless at insulating us from far-off threats. Security officials believe that hackers in North Korea were behind the attack that crippled parts of the NHS earlier this year. Security is still reliant upon protection, enforcement, intelligence and military domains, but the barriers between these domains are dissolving while the domains themselves now increasingly overlap. Assessing the implications The blurring of the boundaries of these domains means that we need to revise the established model of security and the responsibilities of individuals, organisations and Governments. Changes to the traditional security model have three implications. First, it changes the division of responsibility between businesses and Government. Protecting a business’ assets would traditionally have been something that was entirely the responsibility of that business, but there’s increasing willingness by Government to undertake protection activities, particularly so where it can do this most effectively by working on core infrastructure. In the UK, for example, we’ve seen the creation of the National Cyber Security Centre, a bold step taking part of GCHQ out of the intelligence world and giving it a broad public role in cyber protection for the whole country. “Security is still reliant upon protection, enforcement, intelligence and military domains, but the barriers between these domains are dissolving” Meanwhile, the Chinese Government has just brought in its first cyber security law with the stated aim of shielding domestic Chinese data from foreign espionage. Conversely, financial services organisations and technology platforms are sometimes better placed than police forces to help the victims of online criminality. Someone who falls prey to a fraudster on a website such as Amazon is less likely to report it to the police and more likely simply to seek a refund through Amazon or, as an alternative, their credit card company. Second, we need a way in which to defend global business networks and technology platforms that doesn’t trip over the national focus of Government agencies. Governments understandably prioritise their own countries when it comes to security, whereas technology, infrastructure and financial systems are all fundamentally international with big businesses and social networks typically running across countries. Law enforcement organisations in particular have evolved from a primarily territorial remit. This is challenging for collaboration even within countries, but leads to real problems internationally where enforcement activity needs to work across jurisdictions and investigators have to navigate differences in legal structures and approaches, never mind the nuances of language and culture. Businesses cannot rely on distance and Governments to insulate them from risk. We need active business defence to protect our organisations. This involves very different capabilities from those traditionally in place within IT and risk teams in business. Business defence uses intelligence on adversaries, technical vulnerabilities and the organisation itself to build a full understanding of the situation and prioritise resources to deal with those risks of most significance. This needs to include an understanding of the relevant activities and implications of all four domains of security globally rather than the traditional local perspective. Importantly, business defence engineers organisations to be robust such that their systems, processes and people are difficult to compromise. Business defence maintains the vigilance to identify problems early as well as the readiness to deal with them before they can cause serious damage. James Hatch: Director of Cyber Services at BAE Systems Applied Intelligence 57 www.risk-uk.com
Page 1 and 2:
September 2017 www.risk-uk.com Secu
Page 3 and 4:
September 2017 Contents 42 Meet The
Page 5 and 6: Editorial Comment More zones, more
Page 7 and 8: News Update “Employees pose great
Page 9 and 10: News Analysis: British Standard 859
Page 11 and 12: They see a well secured airport. Yo
Page 13 and 14: News Special: Cortech Open Innovati
Page 15 and 16: Opinion: ISO 22316 Security and Org
Page 17 and 18: Opinion: Apprenticeships in the Sec
Page 19 and 20: BSIA Briefing With an estimated eig
Page 21 and 22: “ MY PASSION IS PERFECTION IN EVE
Page 23 and 24: Enterprise Security Risk Management
Page 25 and 26: Bribery, Fraud and Corruption: Risk
Page 27 and 28: Crisis Management: Leadership in Pr
Page 29 and 30: www.coie.uk.com Cortech Open Innova
Page 31 and 32: Lone Worker Security and Safety wor
Page 33 and 34: The Changing Face of Security Servi
Page 35 and 36: Multi award winning security servic
Page 41 and 42: Tel: 08707 508070 Fax: 08707 508066
Page 43 and 44: Meet The Security Company: Doyle Se
Page 45 and 46: Fire Safety Planning: Emergency Eva
Page 47 and 48: National Association for Healthcare
Page 49 and 50: The Security Institute’s View and
Page 51 and 52: In the Spotlight: ASIS Internationa
Page 53 and 54: FIA Technical Briefing: Gaseous Fix
Page 55: Security Services: Best Practice Ca
Page 59 and 60: Training and Career Development ‘
Page 61 and 62: Risk in Action Cambridgeshire Fire
Page 63 and 64: Technology in Focus SPC Connect’s
Page 65 and 66: Appointments Magnus Ahlqvist The Bo
Page 67 and 68: thepaper Business News for Security
Page 69 and 70: CCTV CCTV Rapid Deployment Digital
Page 71 and 72: SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKSeptember2017

Create successful ePaper yourself

Delete template?

Save as template?