RiskUKSeptember2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cyber Security: Risk Management in the Digital World<br />
ensure that our property is properly and<br />
adequately protected in the first place.<br />
This is the world we live in and understand,<br />
but it’s only a part of security. There’s another<br />
world of security: national security. We expect<br />
Governments to maintain the intelligence and<br />
surveillance capability to know what’s going on<br />
in the wider world and the military capability to<br />
deter or deal with any aggression that comes<br />
from beyond our borders. There are places<br />
where these two worlds overlap, such as in<br />
foreign-inspired domestic terrorism, but the<br />
challenge involved merely illustrates how<br />
separately we can maintain the distinction.<br />
As businesses and private individuals, we<br />
rely on physical distance to keep these two<br />
worlds apart and on Governments to manage<br />
global threats. We expect the national security<br />
apparatus to maintain a physical barrier<br />
between threats in the Middle East and a<br />
domestic business in an English town.<br />
Individuals and businesses have concentrated<br />
on local protection. This form of thinking<br />
persists in approaches towards cyber security.<br />
Now, the increasing prevalence of digital<br />
technology is making physical distance<br />
irrelevant. As more of our world is connected,<br />
geography becomes less relevant and distance<br />
is almost useless at insulating us from far-off<br />
threats. Security officials believe that hackers<br />
in North Korea were behind the attack that<br />
crippled parts of the NHS earlier this year.<br />
Security is still reliant upon protection,<br />
enforcement, intelligence and military domains,<br />
but the barriers between these domains are<br />
dissolving while the domains themselves now<br />
increasingly overlap.<br />
Assessing the implications<br />
The blurring of the boundaries of these<br />
domains means that we need to revise the<br />
established model of security and the<br />
responsibilities of individuals, organisations<br />
and Governments.<br />
Changes to the traditional security model<br />
have three implications. First, it changes the<br />
division of responsibility between businesses<br />
and Government. Protecting a business’ assets<br />
would traditionally have been something that<br />
was entirely the responsibility of that business,<br />
but there’s increasing willingness by<br />
Government to undertake protection activities,<br />
particularly so where it can do this most<br />
effectively by working on core infrastructure.<br />
In the UK, for example, we’ve seen the<br />
creation of the National Cyber Security Centre, a<br />
bold step taking part of GCHQ out of the<br />
intelligence world and giving it a broad public<br />
role in cyber protection for the whole country.<br />
“Security is still reliant upon protection, enforcement,<br />
intelligence and military domains, but the barriers between<br />
these domains are dissolving”<br />
Meanwhile, the Chinese Government has just<br />
brought in its first cyber security law with the<br />
stated aim of shielding domestic Chinese data<br />
from foreign espionage.<br />
Conversely, financial services organisations<br />
and technology platforms are sometimes better<br />
placed than police forces to help the victims of<br />
online criminality. Someone who falls prey to a<br />
fraudster on a website such as Amazon is less<br />
likely to report it to the police and more likely<br />
simply to seek a refund through Amazon or, as<br />
an alternative, their credit card company.<br />
Second, we need a way in which to defend<br />
global business networks and technology<br />
platforms that doesn’t trip over the national<br />
focus of Government agencies. Governments<br />
understandably prioritise their own countries<br />
when it comes to security, whereas technology,<br />
infrastructure and financial systems are all<br />
fundamentally international with big<br />
businesses and social networks typically<br />
running across countries.<br />
Law enforcement organisations in particular<br />
have evolved from a primarily territorial remit.<br />
This is challenging for collaboration even within<br />
countries, but leads to real problems<br />
internationally where enforcement activity<br />
needs to work across jurisdictions and<br />
investigators have to navigate differences in<br />
legal structures and approaches, never mind<br />
the nuances of language and culture.<br />
Businesses cannot rely on distance and<br />
Governments to insulate them from risk. We<br />
need active business defence to protect our<br />
organisations. This involves very different<br />
capabilities from those traditionally in place<br />
within IT and risk teams in business.<br />
Business defence uses intelligence on<br />
adversaries, technical vulnerabilities and the<br />
organisation itself to build a full understanding<br />
of the situation and prioritise resources to deal<br />
with those risks of most significance. This<br />
needs to include an understanding of the<br />
relevant activities and implications of all four<br />
domains of security globally rather than the<br />
traditional local perspective.<br />
Importantly, business defence engineers<br />
organisations to be robust such that their<br />
systems, processes and people are difficult to<br />
compromise. Business defence maintains the<br />
vigilance to identify problems early as well as<br />
the readiness to deal with them before they can<br />
cause serious damage.<br />
James Hatch:<br />
Director of Cyber Services at<br />
BAE Systems Applied<br />
Intelligence<br />
57<br />
www.risk-uk.com