We have entered a new era of technology. The fourth industrial revolution (4IR) has built on, and extended, the impact of digitalisation in new and unanticipated ways (eg genome editing; machine intelligence and blockchain technology). In the ‘50s and ‘60s the third industrial revolution saw the advent of electronics and IT that automated production lines and created mass efficiencies in the processing and sharing of data.
4IR has taken this one step further, combining cyber and physical systems that have involved entirely new capabilities for people and machines and exponentially improved efficiency and outcomes. While this rapid technological advance has created global opportunity, it has not occurred evenly – it is a fact that today more people in the world have access to some form of technology than they do basic sanitation. This inequality increases the risk to the system.
Moreover, this rapid adoption of new tech has not been matched by an appetite to ensure that the technologies we are using to support 4IR are secure or even being used in the correct way. A plethora of ransomware attacks (eg the NHS, a German hospital and the health tech firm testing coronavirus treatments) are powerful reminders that we are operating in a brave new world where the security of our systems needs more attention.
Attacks that undermine our supply chain are on the rise
In a hyper-connected world, where access to any given network could be achieved by a few keystrokes, security is critically important. The entire global framework for business is built on a fragile network of connectivity. Every distributor, supplier, manufacturer, sales team – you name it – is seamlessly connected to each other, each creating a vector for attack and each, therefore, a potential vulnerability in the chain. Cyberspace has become a virtual battlefield for anyone to ‘facelessly’ have a go at disrupting operations.
Controversially, the clear opportunities have given way to a new wave of attack vectors. Ones that seek to exploit supply chain vulnerabilities. If the attack on CodeCov[1] that affected all 29,000 of their clients with malware infected software is not enough then consider the Solar Winds[2] attack that targeted more than 18,000 customers which included the U.S. Treasury, Justice and Commerce departments, whose email accounts were compromised as a result. These two, are clear examples of a supply chain attack, the fall out indiscriminate and vast. Serious hackers almost certainly prefer the path of least resistance, and if they can achieve volume, in a one-to-many fashion, they will.
Difficult-to-breach cyber security controls
Supply chains present a veritable conduit to attack another organisation in the same chain, perhaps one that has more difficult-to-breach cyber security controls. The data breach that revealed the data of 70 million customers, along with credit card details, and cost US chain Target $162M was due to the lax cyber security of the firm’s heating and ventilation vendor – there are many more like this.
Contrary to popular belief cyber risk is not just a technology problem. Technology is just one contributing factor to the overall digital risk of an organisation, the other two are people and organisation. Only when all three are looked at together, and aggregated, can the real risk be understood.
People are an organisation’s first line of defence but, believe it or not, they are also the biggest risk. Ignoring the potential risks at the human/technology interface is to ignore the most prevalent risk to businesses. According to a study by IBM[3], human error is the main cause of 95% of cyber security breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches may not have taken place at all. Whether involving error, omission, malice or coercion they all involve a human doing something they shouldn’t have, or not doing something they should have.
Risk equation is the organisation
The other important ingredient in the risk equation is the organisation and specifically the controls it imposes in terms of governance when it comes to information security. Experience suggests that organisations that rapidly adopted, or are in the process of rapidly adopting, new technology did so without considering the risks associated with this process. This is further compounded where organisations do not have the proper policies in place that provide conditions that support good risk management or empower their staff to act in the right way. For example, a majority of organisations are still unprepared to respond properly to cyber security incidents, with 77%[4] of security and IT professionals indicating they do not have a cyber security incident response plan in place and more than half that do don’t exercise it.
This is woefully inadequate and will serve no purpose when one happens.
Good cyber security sees the convergence of these three factors, working in concert, in mutual support of each other. To deal with cyber risk in any other way does not address the root of the vulnerability and belies a significantly important fact – the insecurity of the system that enables an attack to happen in the first place. Cyber security is a system of systems, it requires a multifaceted approach that involves a thorough review of one’s digital risk in the context of the main factors contributing to the risk: People, Organisation and Technology. Only solutions that address all of these factors will be fit for purpose.
Cyberattacks are real and the emphasis on the importance of cyber security needs to change. We must address the fundamental causes of risk and that requires a paradigm-shift in our approach to cyber security. Let’s stop trying to cover a deep wound with a sticking plaster, it is ineffective and irresponsible. Cyber security is not a technology problem to be pushed down the food-chain – it is a universal risk – and for the sake of everything, leadership needs to take responsibility.
[1] https://www.zdnet.com/article/codecov-breach-impacted-hundreds-of-customer-networks/
[2] https://www.reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R
[3] https://www.ibm.com/account/reg/uk-en/signup?formid=urx-51643 and HackerNews
[4] https://www.computerweekly.com/news/252461474/Most-organisations-still-lack-incident-response-plans