You probably won’t win £108 million on the lottery. But you will get hacked…
There are times when I find it harder than usual to stay upbeat. As I’ve said before, much of what we do as IT security professionals feels like preaching Armageddon to atheists. They’re convinced it won’t happen, so they don’t really listen. Or perhaps they’re agnostic, so they listen – and maybe even believe – but don’t actually get around to doing anything.
Even when they’re compelled to care about it – like financial sector businesses – it’s amazing how many of them just want to do the minimum to pass regulatory muster. It’s not helped by so much of what’s sensible being expressed as guidance, rather than regulation, by the blessed FCA.
Unfortunately, whatever your religious beliefs, the risks from lax IT security are real, and they will get you in the end. You may already have been got, in fact, and just not know it yet. If your webserver has been infected with the Linux malware that’s currently doing the rounds and is being used as a spam-distribution point, would you even know? Or would you read the uptick in your bandwidth bill – assuming you ever look at the thing – as a marker of success?
I’m not going to catalogue lots of possible risks; I’ve done that elsewhere, and I’m not alone in doing so. Let’s just look at two recent cases. Firstly a small UK incident:
The ICO fined the British Pregnancy Advisory Service for breaching customer confidentiality in a hacking attack. 10,000 people were affected. The fine? £200,000. Read the article I linked to – it’s particularly interesting because they had thought about the issue. Then they failed to do anything about it. Agnostics, I suppose.
Now a much larger US infosec catastrophe: Target (a large store chain) lost 40 million card holder details to hackers. Despite having lots of network security. Despite having recently invested in enhancing that security. The total costs of the incident are still being calculated, but I think we can scientifically estimate them to be…a lot. Why did it happen? Because despite their newly-installed systems telling them they’d been hacked, they did nothing about it.
At least Target had made an effort. They had a CIO, which is more than some companies. She quit after the incident, which is hardly surprising. Now they’re going to get a Chief Information Security Officer, and a Chief Compliance Officer. That stable door is definitely going to be bolted ever so tightly shut.
Lessons to learn?
- Whatever your size, please take this issue seriously. Make it someone’s specific responsibility at board level, and empower them to deal with it. If you don’t have appropriate expertise internally – and it would be unusual if you did – go and hire it. One consultant for three months is cheaper than one fine from the ICO. End of sales pitch.
- Make sure your board asks intelligent questions about your exposure. Get some security awareness training for them, or hire an IT-savvy NED. Again, it’s much cheaper than finding out, like the BPAS, that you’d not followed through on security-aware thinking. (I lied about the sales pitch being over.)
- Make sure all your staff get proper security awareness training. If they think secure, you mitigate your risk more effectively, and more cheaply, than any other way. You still need perimeter defence, ubiquitous anti-virus, intrusion detection and (above all) proper policies, but at least you won’t get compromised by laughably crude phishing emails.
- Have proper incident response procedures and follow them. Better a dozen false alarms on which you waste real resources than one unhandled disaster. Every time the boy cries wolf, go running. By all means beat him afterwards – or learn from your mistakes – but never stop responding.
A bigger picture 