Moving up to date, cyber security technology has moved at a staggering rate and the range of products working across a variety of different needs, platforms and functions, is huge. Naturally, business seeks the best solutions for cyber woes and the less time and resource heavy, the better. This is where good technology and good security sometimes part ways. As we never tire of saying, security is a business and people-based thing that can't be made resilient by technology and IT alone. So I was disappointed to read a feature recently that emphatically denied the notion that people are the problem. The author clearly had a vested interest in that being true, so I guess it was really an advertorial. But the thought that anyone, after all the breach and failure we have seen that has been driven by people failure, after the stats we get every quarter from the ICO confirming that human error is our biggest security weakness, could continue to deny the impact of human failure and assert technology as the only worthwhile solution, was disappointing. Mainly because the ethos that IT is both the problem and the solution, has been hard to shift and as organisations have started to fully grasp the cultural challenge that cyber security really is. So for those who read pieces such as the one I described and believe they are getting good advice., I wonder how do we deal with that? If businesses don't want to take the facts from the good guys (ICO, Security experts, data protection experts, independent researchers et al) then will they take it from the hackers themselves? They know that people are the weakest link and they know that resource, training and ongoing education, even of highly sought after privileged account holders, is often lacking. Thycotic produced a very nice poll from hackers convention, Black Hat 2017 this month with the top two recommendations being education for all key stakeholders in the fundamentals of cyber security and taking a people-centric approach to cyber security. And why did they recommend this? Because the hackers told them so... Multi factor authentication (MFA) has shown to be a clear advantage for security. If we are talking about the accounts of key individuals with privileged accounts, which we know hackers like to go after it is clear why MFA is a definite requirement. Not far behind it is the cyber sentinel that is encryption, rarely out of the headlines whenever politicians discuss cybercrime and also whenever ex heads of security services talk about vital security measures we need without question. This still provides one of the best possible technology solutions to assist the humans in the management of their security. So think of an approach or culture that has covered off how people behave, has appropriate use of encryption and utilises MFA in a proportionate manner. Given that hackers are telling us that only 5% of successful hacks come through not enough security software, this sounds like a reasonable place to start. But let's go back to people, as that is what hackers are telling us fairly resoundingly are the issue. If humans are the problem, what do the hackers see as being the key reasons for the slip ups and failings that are driving the breaches and opening up businesses to hacking? It looks like the new NCSC advice on password hygiene needs to be shared a little more widely... This would certainly help mitigate the risk from changing and subsequently remembering passwords and the possibility that users may write passwords down or create insecure passwords in order to save time and effort. Never ending updates is tough. We have to patch software, its a fact of life. When things are unpatched we end up with situations like WannaCry and Petya. After the initial WannaCry outbreak happened, Microsoft responded by issuing patches to help stop the spread and protect systems using legacy, unpatched systems, but some businesses did not apply the patches and so the outbreak continued. If organisations don't patch even in those critical circumstances, then we know we have an issue. The fact of the matter is, we do live under constant cyber threat. We can either take the required steps to mitigate the risk or not and when we talk about information overload, I wonder if this is information overload combined with insight deficit. In other words, scary stories of hacks, breaches and failures but no insight gained, steps identified or positive action planned..? Data is one thing, combined with other data it is information but insight is knowing what to do with the information. Hackers are more than happy to exploit this human vulnerability of cyber fatigue and it is not a surprise that the password issue is top of the list. We know that familiarity can breed contempt, as the saying goes. But cyber security is too important to take the chance of this happening, especially to privileged account holders that hackers prize so highly. They prize them highly for a reason. If hackers are telling us in no uncertain terms, our people are the key vulnerability they exploit, then we really need to listen. Businesses need to wise up to tech cyber amulets, however nice it would be to think that there is a solution that requires no effort or input from people, we are not there yet. The cultural place where most businesses operate, yes SMEs I am looking at you, is one that doesn't fully grasp their information security issues and is all too eager, with stretched resources of both money and people, to continue to believe the myth of the standalone technical solution. I understand, because the idea that a piece of kit can genuinely provide all the answers and that breach will simply stop, is quite intoxicating. I do know from experience though, that what we dream or imagine, isn't always what we get. I still get out of bed manually, the microwave has not replaced the cooker and not everyone fancied the corner bath. For me, a genuine focus on the human factors of security and cyber security makes me feel the same way I did when I (thought I) saw that revolving bed with a built-in Teasmade, optimistic and excited that one day, it will happen. When it does, I might be here... writing here about it...maybe drinking tea and revolving...
- By Ellie Hurst
- Posted 9th November 2017
- In business, CNI, Critical National Infrastructure, critical systems, cyber security, data protection, EU, GDPR, information security, Infosec, ISO27001, NIS, NISR, regulation, resilience, UK business
Thank you to our resident NCIS expert, Great Wall of China charity-walking Director, Julia McCarron, for this timely reminder that GDPR is not the only regulation on the horizon and whilst it might not impact everyone, we need to be aware of it. As the clock is ticking towards the need to comply with the EU General Data Protection Act (GDPR) by May 2018, so the new Data Protection Bill has entered parliament in its final stages of adoption and law making. The Bill essentially takes what was good from the Data Protection Act 1998, updates it to cater for today’s modern cyber and digital world, gives the people more power over their data and its use, and infuses it with European personal data protection requirements. Brexit or no Brexit GDPR will affect us all regardless, and the Bill is designed to give us basically a one-stop-shop where the EU is concerned. So, I have no doubt that your daily inbox is overflowing with emails saying, “Come to our GDPR event”, “Time is running out for GDPR compliance”, “You need to buy our product to be GDPR compliant” etc… Whilst I would question the validity of any emails stating the latter, GDPR is an important piece of regulation that no business can afford to ignore. Time is running out … just 6 months to go. But it cannot be seen in isolation. It has to be part of a wider data protection review – you cannot comply with GDPR if you are not following data protection legislation and best practice. But you all know this … or you do now. And if you don’t know what to do about then see me after school J But in amongst all of this there seems to be another EU directive that is operating under the radar. The Networks and Information Systems (NIS) Directive’s inception is 4 years old. For those of you who are regular viewers to my blogs you will no doubt picture my enthusiasm when I first read about the Directive – NIS also standing for the US Naval Investigative Service, the pre-cursor department to my beloved NCIS. I had visions of Leroy Jethro Gibbs locking heads with heads of EU member states. But sadly that was where the connection ended. #GibbsRule51 – Sometimes you’re wrong. The NIS Directive aims to improve the EU’s preparedness for a cyber attack. Member States recognised back in 2013 that the growing threat of these attacks could potentially effect not just one organisation, one county, one country but an entire union. This has already come to pass with the recent Wanna Cry ransomware attacks in May affecting not only UK NHS organisations but many others worldwide in a simultaneous attack. The ransomware attack crippled certain parts of the NHS and I know family affected directly by delays in obtaining important clinical test results as a direct result of Wanna Cry. So, having looked into their crystal ball, the EU could see what was coming and put forward a proposal that became a directive in August 2016, giving Member States 21 months to embed the Directive into their respective national laws. So what was this proposal all about, what is the Directive’s aim? Network and information systems and the essential services they deliver and support are critical in today’s society. Whether it’s the provision of health services, emergency services, transportation services or access to important utilities like water, gas, telecoms and electricity, even financial systems, they all rely on some form of networked digital infrastructure. And it’s these systems that we need to secure in order to maintain reliability, integrity and availability and keep the world going. It is the Directive’s goal to raise levels of the overall security and resilience of network and information systems across the EU. To achieve this it provides the legal footing to:
- Ensure that Member States have in place a national framework (eg a National Cyber Security Strategy), teams (eg Computer Security Incident Response Team (CSIRT)), and a national NIS competent authority so that they are equipped to manage a cyber security incident.
- Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents and as well as sharing information about risks.
- Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.
- Objective A. Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services eg. Governance structures, risk management, asset management, supply chain management.
- Objective B. Proportionate security measures in place to protect essential services and systems from cyber attack eg. Service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, staff awareness and training.
- Objective C. Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services eg. Security monitoring, anomaly detection
- Objective D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary eg. Response and recovery planning, improvements
- NIS is about securing critical networks and services across the EU to prevent large scale, crippling cyber attacks.
- NIS is a Directive that certain UK businesses will need to comply with by May 2018.
- GDPR is a data protection regulation that all UK businesses will need to comply with by May 2018 and will form a large part of the Data Protection Bill.
- Complying with ISO27001 will cover the majority of compliance requirements of both NIS and GDPR. However, complying with one in isolation will not ensure total compliance with either or both of the others.
- ISO27001 best practice guidance is there for a reason – follow it and make your life easier. #GibbsRule5 – Don’t waste good.