Despite implementing comprehensive security measures, 65% of UK and European mid to large businesses reported malicious security breaches in 2021. Malicious actors intensified attacks on critical cloud infrastructure globally, typically resulting in the payment of multi-million $ ransoms. And security breaches can have secondary impacts through fines for breaching data privacy regulation, lost sales and reputation damage.
A black box with a glaringly obvious front door
Without doubt cybersecurity is a specialist art, both in its daily maintenance and in its periodic investigation. It is the realm of the specialist because all networks are only as strong as the weakest link, and in technology that weakest link is invariably an obscure factor hidden away as an unarticulated default setting in someone else’s line of code (often in firmware on third-party hardware). Due to the world we live in, cybersecurity is also an art – the art of predicting and protecting against constantly evolving threats that are relentlessly created by malicious actors (who have evolved from ad-hoc individuals to highly sophisticated, well-financed actors of state).
Cybersecurity is also common sense. And that is where the problem lies.
CrowdStrike’s annual global cybersecurity report reals that in 2021, 62% of successful cybersecurity attacks comprised of non-malware, hands-on-keyboard activity - i.e., the biggest threat to IT security is a staff member clicking on a phishing email (deliberate actions of disgruntled employees is far, far less common).
Core areas of cybersecurity
Infosys categorise cybersecurity into 6 key areas, each of which can be strategized, monitored and reported on:
Identity access management
Governance, Risk management & compliance (GRC)
Identity access management
Probably the most important tactical aspect of cybersecurity, this is the control of both human and machine access to systems, through the use of discrete identities that have sets of permissions. It’s the electronic equivalent of a door pass – if you don’t have an identify you don’t have access, and if you do have an identity, you only have access to a certain areas.
Best in class companies deploy the use of identity access management in machine processes as an additional layer of security, to stop unauthorised execution of critical programs and algorithms by malicious actors who may have penetrated external security barriers.
A very common cause of failure in identity access management is the failure to withdraw a person’s access when they leave the company. This is on the rise with the growing adoption of third-party SaaS in operational processes – how often have you been able to access your company subscription to a newswire service long after you left the firm?
This is what most people instinctively think about when discussing cybersecurity. It is the realm of firewalls, internal networks, hardware and access to drives and folders. On a laptop it appears as simple antivirus software, but behind the scenes it is complex governance, sophisticated software and strict processes that span every process, from operations to product development.
Businesses have become dependent upon applications – packaged software and behind-the-scenes programmes that do a defined job and deliver a defined benefit. Whether proprietary or third-party, applications present security risks because that are discrete entities that have the authority to access data and execute commands. They offer a perfect trojan horse: to be able to work, applications are assumed to be benevolent, and it is very difficult to identify when they have become compromised.
Maintaining a real-time view is important for reacting to security breaches, and thus to limiting damage. However prediction is key: predicting the ever evolving specific attributes of cyberattacks enables a company to continuously improve its defences and thus continuously maintain its security. This is where the inputs and products of specialist companies are required – it is their daily businesses to identify, understand and mitigate cybersecurity threats arising near continuously from places you and I have never heard about.
In most countries data security is the only regulated element of cybersecurity. It involves the protection of data at rest, in transit and during processing. Globally, the dominant regulation is the EU’s GDPR (the UK’s GDPR is legally equivalent until 2027). We are seeing the emergence of similar laws in the US, notably the California Consumer Privacy Act (CCPA), which are being enacted at the state level. Very few industry regulations have mandates on cybersecurity that are not exceeded indirectly by the measures required to ensure GDPR compliance.
GDPR also addresses non-security issues, notably as the right to acquire, utilise and store data in the first place regardless of the security infrastructure. The requirement for the ability to remove a person’s data at their request also has implications for security architecture.
Governance, Risk management & Compliance (GRC)
If identity access management is most important tactical aspect of cybersecurity, GRC is the most important strategic aspect. With the right approach to governance, management and compliance, it is possible to embed a culture of self-regulation and self-policing, which is far more effective than any programmatically forced regime. GRC is the engine of prevention.
Cyber Security Breaches Survey 2021, Department for Digital, Culture, Media and Sport, UK Government.
2022 Global Threat Report, Crowdstrike Inc.
Information Commissioner's Office (ICO), United Kingdom, 2022.