Risk management: Growing pains
As security becomes a board-level concern, those in charge of it can no longer hide behind the doors of the IT department.
If you're a chief information or security officer, chances are your job has got, well, just a little bit harder over the past couple of years. Not so long ago, being a CIO or CSO was something of a nice little number, according to Calum MacLeod, European director of Cyber-Ark Software. "You moved upstairs, got the mahogany desk and the Mercedes and you could wait for retirement," he says. "Now these job titles are a poison chalice."
Until recently, the CSO's main responsibility was to oversee fire-fighting; it was essentially reactive. When a problem arose, you dealt with it, then things quietened down and you could relax until the next worm or Trojan reared its ugly head.
But life has changed. For one thing, the occasional attacks of the good old days have merged into a continuum. And, if this wasn't enough to deal with, there's always those little employee-based incidents. Like the ones that result in 90,000 of your customers' bank details being accidentally lost somewhere in the public domain. Finally there's all that pesky compliance. So, not only is the environment a lot more threatening and hostile, you and the board are also a lot more accountable.
"From our experience, there has certainly been a fundamental shift as organisations have had to adapt to the fact that they need control and process in their security," says Peter Woollacott, chief executive of threat managers Tier-3. "Obviously risk management is part of that." This change has been driven by a number of factors over the past few years. Individually, they'd be noteworthy and troublesome. Taken together, they have forced CIOs and CSOs to become something far more akin to a strategic risk managers.
On the cyber-attack side, we have seen the professionalisation of hacking. Until around 2000, the stereotype of the hacker as a spotty kid in a bedroom devising ever more virulent viruses pretty much held up. Now it is far more likely to be organised crime - anything from professional gangs targeting Indian data processing centres to the Russian mafia trying to extort banks. In parallel to this, we have also seen the automation of much of this kind of crime. Especially with denial-of-service attacks, online criminals now rely on huge armies of hundreds of thousands of infected machines whose owners are little the wiser. Large-scale mayhem has been available at the push of a button for some time now and the expertise is for hire. Moreover, unlike the website defacers and worm writers of the 1990s, today's hackers don't do it for prestige or fun; it's strictly business. "Hackers don't show off anymore," says Woollacott. "Most data losses are now taking place in an unknown realm."
The human fallibility and opportunistic theft side of things has escalated too and has been much in the news recently, most notably with the now infamous Nationwide laptop incident. Stolen from an employee's home, this had millions of customer details on it and resulted in an FSA probe, a £980,000 fine and heaps of bad publicity for the building society. Of course, this was a high-profile case, but there are plenty of others who are equally careless with their high-tech toys. A recent survey by Pointsec Mobile Technologies showed that, in the six months to November 2006, 54,874 mobile phones, 4,718 handhelds, 3,179 laptops and 923 USB sticks were left in London taxis.
The threats from within a business should not be taken lightly either. "Let's not forget that the majority of fraud and theft is perpetrated by insiders," says Martin Joy, CIO of Control Risks Group, "so protecting against this threat is a real challenge."
Tony Dyhouse, security director at defence technology company QinetiQ, takes a similar line: "A disgruntled employee can be a very big problem, and you need to start seeing threats in these terms."
Demand and supply
Of course, information theft would not be such a growth area without the demand for the stolen goods. With electronics becoming ever cheaper, most laptops are barely worth taking for their intrinsic value. On their hard drives, however, they might have a far more valuable prize: for example 20,000 sets of personal details that can be sold for 50p apiece. Thus, the potential reward for stealing data-rich devices is far greater than it once was. The identity theft industry is booming and, in the UK alone, it is believed to cost about £1.7 billion a year.
The results are plain for all to see. According to the Department of Trade and Industry's Information Security Breaches Survey 2006, 87 per cent of large businesses experienced a security incident in the past year. Of these, 84 per cent had been the victim of premeditated incidents and 46 per cent had suffered accidental losses or corruption of data. The report also noted that "many UK companies are a long way from having a security-aware culture. Security expenditure is either low or not targeted at key risks." It recommended companies "use risk assessment to target investment in security controls at the areas of maximum business benefit".
If things are bad now for those at the sharp end of information security, they are likely to get worse. For starters, the organisational perimeter is getting ever more permeable. Whether through employees using MP3 players to transport files or logging on to insecure hotspots at home or on the move, the places corporate data can leak out are multiplying. And that's before we even start talking about smartphones and their ilk.
The problem here is that small devices that are easier to steal and yet tend to be more lightly protected are becoming much more powerful and hold ever greater quantities of data. A laptop is a pretty big thing to lose or have stolen, that's why the number left behind in London cabs was relatively low in the Pointec survey quoted earlier. But the number of mobile phone losses is huge. And this points to an equally large potential problem. Most people still regard the loss or theft of their phone as an inconvenience, or even an opportunity to upgrade. But today's phones are often as powerful as laptops were four years ago. Worse still are devices such as BlackBerrys and iPaqs, which are as easy to lose or steal as a phone and can carry as much sensitive data as a laptop.
Then we have compliance issues. These range from Sarbanes Oxley in the US to the Payment Card Industry standard to the Data Protection Act and place the onus for any number of IT security issues firmly with the board. Quite simply, in many cases, not being compliant is not an option. And having to sign things off and "own" them really focuses the mind. It could get far worse too. In the US, companies are obliged to report data breaches, no matter how minor, and the results are posted on to websites such as privacyrights.org. If, as seems likely, the EU adopts similar legislation, company executives will no longer be able to just ignore problems and cross their fingers.
Indeed, this points to a growing problem with security breaches, which is the impact they have on a brand. "You need to see it in terms of reputational risk and the damage these incidents can do to you," says Crispin Sturrock, CEO of Whiterock Defence. If you are a bank or a financial company, and it is made public that you've accidentally released thousands of account details, you are not only liable for the immediate costs, but will also have to deal with the fact that customers may see you as less secure.
So, if all these factors have driven IT risk assessment up the corporate agenda, what needs to be done? The people in this sort of role need to become far more strategic in their thinking and move away from the nuts and bolts of IT, says Dyhouse. "Traditionally, the person in charge of IT was a technocrat - usually not a manager but an engineer. What we see now is that this is becoming a much more senior management role. The IT manager or CIO needs to be interested in the business drivers and how it impacts on PR. Risk management tends to be very intangible and involve intuition. And this is not the mindset normally associated with IT engineers."
Joy agrees. "I believe this trend is actually a reflection of the fact that information and network security involve a great deal more than just technology," he says. "Yes, you do everything you can to secure the communications infrastructure from hackers, intrusion, viruses, worms etc. But the more important part is ensuring that the processes, policies and governance are in place to safeguard the integrity and security of the content and interaction actually travelling over the plumbing.
"Risk assessment, has always been part of the CIO's portfolio of responsibilities," Joy continues, "but the fact that the role of CSO is gaining clout indicates how important security is becoming across the board."
In practice this means taking a very holistic view as to how risk and security fit into the business as a whole. "You need to look at what the business is doing and see how changes can affect security," explains Dyhouse, "For instance, if you're closing 30 branches then that's a threat. Your employees always have the means and the opportunities to cause data leaks. If you give them the motivation too, then you have a problem."
You need to develop a plan that is practical and effective. Many experts recommend the PCI standard as a good model. Broadly this states that you should build and maintain a secure network, protect sensitive data, maintain a vulnerability management program, implement strong access control, monitor and test regularly and uphold an information security policy.
The one thing you should not do, however, is say that it does not apply to you. Information security is no longer the preserve of the obvious businesses such as banks. No matter what sector you are in, compliance will almost certainly affect you and, whether it's Sarbanes Oxley, the Data Protection Act or the PCI standard, you need to familiarise yourself with the regulations that will affect how you manage risk within your business.
Peter Yap, director of forensics at consultancy Control Risks, recommends bringing all aspects of security and risk under one reporting line, either at board level or with direct access to the board, that encompasses risk, IT security and physical security.
He also advises educating the workforce. This point is a trenchant but often rather overlooked one. With the potential for a million-pound fine for a stolen laptop containing sensitive information, there is no point in all the strategy in the world unless you raise awareness on the ground. Indeed, as most leaks do come from within, putting a framework in place that educates people, rewards good behaviour and penalises carelessness should be a cornerstone of any strategy.
And it can be surprising as to just how ignorant or careless otherwise intelligent people can be. And this can sometimes include those whose job it is to know better, says McLeod. "Not long ago, I met a CSO who was adamant that because the machine that held all the company's mergers and acquisition data was physically in the boardroom, the information was secure," he recalls.
CASE STUDY WILLIAM HILL
IT security is crucial for bookmakers as website downtime means losing money. In fact, William Hill, along with other firms in this sector, was aggressively targeted by denial-of-service attacks a few years ago. These were effectively online extortion: pay up or we take down your site. The company stood firm.
"Most of our security strategy is based around the website, trying to protect it from people who want to get their hands on the punters' money," says Alan Alderson, an enterprise architect at William Hill. "So it's primarily that: website support applications and also the network."
Internally the organisation uses a compliance tool on desktops to check that anti-virus software is up to date, software is running its latest version and so on. This, says Alderson, cannot be shut down. William Hill is also looking at intrusion equipment on desktops and protecting USB sticks. As for laptops, there's plenty of encryption.
Overall, he continues, it's all about confidentiality, integrity and ensuring that the data is only available to those who need it. To this end, the bookmaker is migrating all procedures and processes to an information security management system based around ISO 27001. The business hopes to be PCI compliant by June.
The thinking behind the strategy, he adds, is mainly that the business's internet presence is key and needs to be as resilient and secure as possible. So it is really just a matter of commercial sense. The punters need to feel that they're giving their credit card details to someone they can trust. And, if the site is taken down for any length of time, well, there are numerous competitors they can go to.