Charting path to information security

Spending on cyber security in the UK is expected to reach nearly £3 billion this year, according to a PwC study, yet we forget at our peril that security is at least as much about people as it is about technology, writes Bryan Betts

When information security hits the headlines, it is rarely for a good reason. High-profile thefts of data by hackers, or fines being levied for the loss of laptops or USB sticks containing sensitive personal data – that’s more the order of the day.

All of which makes the business of securing a company’s data and intellectual assets a tough one. Getting it right earns no revenue, but getting it wrong can cost you the business, and in extremis it could even land the organisation’s directors in jail. That’s why security may not be everyone’s job, but it needs to be everyone’s business.

It is all too easy to take a mechanistic approach to information security. Buy the right technology, strictly apply the right rules, and everything will be OK – right? Unfortunately not. Top-notch technology is absolutely essential of course, but information security is a lot more than just systems and processes or snappy jargon such as “infosec”. It is also about people, good and bad, with all their needs and desires, their foibles and failings, and as economists and others are finally acknowledging, predicting how people will behave is a lot harder and more complex than it might first appear.

One of those behaviours which many security experts seem to have forgotten is how quickly we become blasé, so used to the alerts and warnings that we begin ignoring them. We assume that because something has been around for ages, it can’t really be a threat any more. How wrong can you be? And yet how else can we explain that software vulnerabilities are still being targeted months after they should have been patched, or that social engineering – persuading others to hand over passwords and other sensitive information, in some experiments for as little in return as a free chocolate bar – still works as well as ever?

“The attack vectors are always evolving – now it’s smartphones and social networks – but the key thing is attackers always follow the path of least resistance,” says John Yeo, Europe, Middle East and Africa (EMEA) director of Trustwave’s SpiderLab advanced security team. “And unfortunately old vectors don’t go away, such as SQL [programming language] injection.”

To make matters worse, as well as those older attacks, the new threats facing organisations today are manifold and multilayered and they are evolving as fast as organisations evolve, or possibly faster. From mobility to malware and from spear-phishing to outsourcing, you and your chief information security officer, if you have one – and any organisation certainly ought to have someone with both responsibility and authority in this area – have a lot to keep tabs on.

How quickly we become blasé, so used to alerts and warnings that we begin ignoring them

And because security costs both time and money – that PwC study, entitled Cyber Security M&A: Decoding deals in the global cyber security industry, suggests that spending on it will grow 10 per cent year on year for the next three to five years – organisations also need to understand the information that they hold. In particular, that means understanding which elements really need to be kept secure, whether it is to protect corporate intellectual property, to ensure compliance with regulatory requirements or data protection legislation, or for some other reason, and which are less crucial.

Any of these security issues could keep you and your chief information security officer awake at night – but they do not have to cause insomnia. None of them is insuperable, whether it is safety on the web, keeping confidential data from leaking out of the organisation, or making sure that when you and your executives work on the move you do it safely.

Defending against them means taking a holistic view though, understanding that security breaches rarely appear in a vacuum and normally occur for a reason. Many times that reason is technical, but often it is at least partly social, and sometimes it may even be a symptom of a faulty or weak organisational culture. Getting any one of those aspects right on its own will not fix the problem – security has to be layered and synergistic.

Conversely, getting it all right brings all sorts of advantages, from organisational flexibility through improved profit margins via e-commerce, to making sure your executives have the best tools to do the job. It can also mean making better use of the human capital available to you.