Alan Calder on IT Governance, information security & ISO 27001

Last Thursday (12th December) the British Government issued a statement on the progress against the objectives set out in the UK Cyber Security Strategy.

Unsurprisingly, making cyberspace safer for UK business remains a top priority.  In order to achieve that the Government is said to have been working closely with industry to develop an agreed ‘Organisational Standard’ also referred to as cyber security kitemark (See “The Telegraph”). Moreover, in order to reinforce this and give the standard a kick-start, the Government will be mandating its use in government procurement.

But is this not slightly confusing?

Firstly, kitemark schemes for services are for services where there is not an already existing UKAS-accredited certification scheme. But there is a UKAS-accredited scheme for ISO27001 already so it seems overly costly to create a new certification scheme to go on top of or replace an existing internationally recognised scheme.  After all, the Government wants to enable companies to trade internationally, so it should be pursuing internationally recognised standards.

Secondly, the Government already requires ISO27001 certification across a broad range of services it obtains from the private sector. Therefore, it is incomprehensible that the government should be discarding years of work it’s done to establish ISO27001 in favour of something that doesn’t yet exist!

It is worth applauding that the Government is putting its shoulder to the wheel in terms of cyber security, but I just wished they were being more sensible about it!

In today’s underskilled cyber security market place, people ask whether they should acquire a CISSP or CISM qualification. Each qualification has different strengths – so, which do you think information security professionals should pursue?

Where do you think CISMP fits into a career path?

Or should you pursue an ISO 27001 certification from IBITGQ?

New cybersecurity surveys continue to point at the two main challenges faced by most smaller businesses in terms of defending against cyber attack:

1. They don’t know where they are vulnerable; and
2. They don’t have the skills to close down the vulnerabilities anyway.

Two things to do: get an outside expert to come and do a cyber security risk assessment, and either engage them to help close down the identified vulnerabilities or get your own staff trained up. A CISSP should now be a basic qualification for anyone dealing with cyber security in a business of any size.

Eugene Kapersky – the founder of Kaspersky Lab, the world’s largest privately-held anti-malware vendor – made four important points in his cybersecurity seminar at Infosec 2013:

1. “Every company is a victim of cyber attacks, whether they know it or not;”
2. Even smaller businesses have a critical role to play in preventing cyber attackers from using them as stepping stones to bigger victims;
3. Governments (and, by my extension, critical national infrastructure organisations) have an essential duty to move their services to more secure environments where cyber attack is very difficult; and
4. Everyone – governments in particular, as they control large budgets and regulatory powers – must contribute to the drive to increase the universe of cyber security skills.

From a ‘take action’ point of view, this translates into

1. Carry out a cyber security risk assessment as soon as possible, and act on the findings; and
2. Initiate a programme of cyber skills security training amongst your IT team.

In the dark world of cyber security, your inattention will bring you to the attention of cyber attackers.

I talked, earlier this week, about the evident gap between the concern expressed (in the 2013 ISBS  survey) by the majority of managers about cyber security and the fact that their organisations continue to be breached, and linked this to a lack of appropriate competences in their organisations.

I don’t think this is surprising – most organisations build their IT teams in order to deliver services to customers, and they don’t do this with cyber security at the forefront of their mind.

The world has now changed – cyber security needs to be a core part of every organisation’s IT delivery strategy. In terms of skills and competences, this means that every organisation will need to employ people whose qualifications include ISO27001 Lead Implementer, ISO 27001 Lead Auditor, CISSP, CISA, CEH and CISM.

While a cyber security risk assessment is a sensible immediate first step for most organisations, the reality is that everyone is going to have to employ people with an appropriate skill set.

According to the recent ISBS 2013 Survey, 78% of large organisations were attacked by an unauthorised outsider last year (an increase from 73% the previous year), while 63% of small organisations were similarly attacked from outside – a big increase from 41% the previous year. Small businesses are now squarely in the cyber firing line, and are being attacked much more frequently than before.

External attackers take advantage of vulnerabilities in network connections to the Internet and in corporate websites. Basic security practice in today’s climate should include quarterly security scans and penetration tests of all Internet-facing resources and connectivity, with identified vulnerabilities patched as fast as possible.

As we move into an era of ‘negative day’ attacks, taking no action to identify and close vulnerabilities is no longer an even vaguely sensible option!

Cyber security costs money – but then, so does cyber insecurity – and the problem with data breach costs is that they are usually accompanied by even more expensive business disruption and reputation damage – often when you need it least!

Increasingly, organisations ask: “How much should we spend on getting ourselves cyber-secure?”

Here are two guidelines:

1. According to the recently published ISBS 2013 survey, the total cost of cyber insecurity to British business increased three-fold last year. Therefore, whatever you spent on cybersecurity last year, you should spend roughly three times as much this year.
2. The cost of the worst breach, for smaller organisations, was between £35k and £65k – and, with the median number of breaches for small organisations having climbed to 17, the actual annual cost is likely to be in the order of £100k. So, for a smaller organisation to spend up to £100k in an initial investment in order to reduce the growing annual losses to cyber risk, makes good sense. If you’re a larger organisation, for whom the worst breach costs in excess of £1 million, the necessary investment could easily be of that order.

Of course, how much you actually need to invest does depend on your actual cyber insecurity – and the way to work that out is to compare your current cyber security stance with that described in either the UK Government’s 10 Steps to Cyber security, or in the NIST/CSIS 20 Security Controls. The appropriate framework depends on your organisational size. Yes, you will need to deploy competent and appropriately skilled people to do the assessment, and this is where services like professional cyber security risk assessments come in..

The 2013 Information Security Breaches Survey – published yesterday – makes it very clear that the vast majority of business managements and boards are all concerned about cyber security, but are signally failing to translate that concern into a set of effective cyber defences.

This is not surprising – organisations build their IT infrastructures (and their IT teams) to deliver against business objectives, such as satisfied, more profitable customers. Most IT teams do not also contain extensive cyber security skills and competences; even where they do, the challenge of keeping those skills current and knowledge up-to-date for the most recent attack vectors and security requirements is substantial.

That’s fine because, luckily, cyber security skills and competences are readily available from specialist cyber security companies – such as my company, IT Governance Ltd. More importantly, these skills are available in a highly focused format: the cyber security risk assessment: a three-day exercise that is designed to analyse and assess the gap between what an organisation actually does and established good practice (such as the UK Government’s 10 Steps to Cyber Security), and to provide a clearly articulated action plan that will lead the organisation quickly to a more secure position.

The UK’s Department for Business, Innovation and Skills has released the following statement:

SUPPORT FOR SMALL BUSINESSES TO TACKLE RECORD LEVELS OF CYBER ATTACKS

More small businesses than ever are facing the threat of losing confidential information through cyber attacks, according to research published today by the Department for Business, Innovation and Skills (BIS).

The 2013 Information Security Breaches Survey has shown that 87 per cent of small businesses across all sectors experienced a breach in the last year. This is up more than 10 per cent and cost small businesses up to 6 per cent of their turnover, when they could protect themselves for far less.

This comes as the Technology Strategy Board extends its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise. BIS is also publishing guidance to help small businesses put cyber security higher up the agenda and make it part of their normal business risk management procedures.

Minister for Universities and Science David Willetts said:

“Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.

“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race.”

The survey also showed that:

Large organisations are also still at high risk with 93 per cent reporting breaches in the past year

• The average cost of the worst security breach for small organisations was £35,000 to £65,000 and for large organisations was between £450,000 and £850,000. The vast majority of these were through cyber attack by an unauthorised outsider
• The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago), meaning that affected companies experienced roughly 50 per cent more breaches than on average a year ago
• Several individual breaches cost more than £1 million
• 78 per cent of large organisations were attacked by an unauthorised outsider (up from 73 per cent a year ago) and 63 per cent of small businesses (up from 41 per cent a year ago)
• 81 per cent of respondents reported that their senior management place a high or very high priority on security, however many businesses leaders have not been able to translate expenditure in to effective security defences
• 84 per cent of large businesses report staff-related cyber breaches (the highest figure ever recorded) and 57 per cent of small businesses (up from 48 per cent a year ago)
• 12 per cent of the worst security breaches were partly caused by senior management giving insufficient priority to security.

Andrew Miller, PwC information security director, said:

“UK businesses face more advanced threats than ever before from unauthorised outsiders. The business world has changed and companies of all sizes, in all countries and across industries, are now routinely sharing information across business borders, whether it’s with business partners or employees’ personal devices. Cyber security is critical. It is no longer only an IT challenge; business leaders need to make sure they are protecting what is most critical to their organisation’s growth and reputation.

“Organisations also need to make sure that the way they are spending their money in the control of cyber threats is effective. Spending on cyber control as a percentage of an organisation’s IT budget is up this year from an average of 8 per cent to 10 per cent, but the number of breaches and their impact is also up  as well so it is clear that there is work to be done in measuring the effectiveness of the security spend.”

Mike Cherry, National Policy Chairman, Federation of Small Businesses said:

“Cyber security is an increasing risk for small and micro businesses and more and more, a barrier to growth. The FSB is very pleased to see the Government announce a package of measures including specific guidance for small firms, helping them take steps towards more effective cyber security.  Information security should be part and parcel of good business practice. We need to cut through the jargon to give straightforward and practical advice, to help businesses put in place protections in their business.”

According to Government Communications Headquarters (GCHQ), it is estimated that 80 per cent or more of currently successful attacks can be prevented by simple best practice. This could be steps as straightforward as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.

Notes to editors

Case studies (these are real, anonymised incidents)

 Management at a small London insurer didn’t focus enough on security at their service provider – this led to a substantial data security breach. Information (such as announcements and business development reports) which they believed could only be accessed internally were actually being indexed by web crawlers and being made available in search rankings. It took nearly a month to detect the problem, and then systems had to be taken offline for a week to fix it.

A mid-sized energy company suffered disk corruption in their storage area network. Unfortunately, it hadn’t been designed with sufficient redundancy in place. As a result, it took nearly a month to restore service to ‘business as usual’, after several man-weeks of effort and tens of thousands of pounds spent.

Following reports in the media of similar attacks, a large technology company discovered that hackers had accessed their website through a known vulnerability. The attack specifically targeted the organisation and was facilitated by the lack of priority placed on security. The company suffered significant adverse media coverage after taking a month to restore business as usual.

1. In the survey small businesses are those with one to 50 employees, and large businesses are those with more than 250 employees
2. The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with Infosecurity Europe. The results will be revealed on Tuesday 23 April at the Infosecurity Europe event. Copies of the report are available from the BIS press office.
3. This annual survey is carried out to increase understanding and transparency of the cyber security landscape in the UK. The survey is anonymous, enabling government and businesses to benefit from accurate information on the cyber risks that businesses are facing, and how businesses are managing them.
4. This guidance has been tailored to meet the needs of small businesses and helps them to understand and deal with cyber risk. It follows on from the “10 Steps to Cyber Security” guidance released by HM Government in September 2012, which was aimed at larger businesses and encouraging them to make cyber security a Board level responsibility. Copies are available from the BIS press office.
5. BIS carries out this work under the National Cyber Security Programme which in turn delivers the UK Cyber Security Strategy, a key objective of which is to tackle cyber crime and make the UK one of the most secure places in the world to do business in cyberspace.
6. The Technology Strategy Board is the UK’s innovation agency. Its goal is to accelerate economic growth by stimulating and supporting business-led innovation. Sponsored by the Department for Business, Innovation and Skills (BIS), the Technology Strategy Board brings together business, research and the public sector, supporting and accelerating the development of innovative products and services to meet market needs, tackle major societal challenges and help build the future economy. For more information please visit www.innovateuk.org.

In a (hastily withdrawn because published ahead of its official release date) news article describing the findings of the Information Security Breaches Survey 2013, the UK’s Department for Business, Innovation and Skills (BIS) will tomorrow (Tuesday 23 April) report that 87% of small firms in the UK experienced a security breach last year, and that 93% of large firms had also been targeted. Some of the incidents caused more than £1 million in damages. The median number of breaches suffered by large organisations rose from 71 to 113 and, for small firms, from 11 to 17.

UK firms are clearly not doing a good job of preparing for or responding to cyber attacks.

The UK’s Universities and Science Minister will apparently say tomorrow:

“Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.”

I agree. There are simple steps that can be taken to prevent the majority of incidents. Step 1 is to find the open windows in your network, and close them. This means that the first and most basic cyber security step is to identify cyber vulnerabilities in your Internet connections and websites – and then to patch them. This is relatively straightforward – an externally-commissioned vulnerability and penetration test (and there are easy-to-purchase, fixed price penetration testing packages available, as well as more customised services) will give you all the information that you need, both about vulnerabilities and what you need to patch them – but you need to commission such a test as fast as possible.

You could read this Green Paper on penetration testing and ISo27001 – but cyber-attackers aren’t about to slow down their activity – so you’ve got to start getting ahead – the faster you check your basic security, the faster you’re able to take remediation action to protect yourself and your valuable corporate assets.