Cyber-Security: Why It’s not just an IT issue
The recent global spread of the WannaCry ransomware has yet again highlighted how rapid and far-reaching the effects of a cyber-attack within companies and organisations can be.
At the time of writing, something that had likely been seen by many as an IT issue ‘The IT team are responsible for patching Windows, if that’s not happening what’s the worst that can happen?’, has reportedly affected at least 75,000 systems in 99 countries and been responsible for everything from the cancellation of surgery by the NHS in the UK to Renault shutting down car production plants in France to FedEx being affected in the USA. (BBC)
In today’s ever more insecure world it’s vitally important that cyber security is something that is at least discussed and planned for across the entire organisation. The sad reality is that the WannaCry attack was entirely expected as the underlying code used was publicly released a month ago, and work to block and mitigate it should really have started immediately as a result.
The good news is that this isn’t as daunting a task as it may sound!
The most important thing is to recognise that planning for a security incident is no different to any other contingency planning you already undertake; it’s really an operational issue rather than a technology one.
Start by sitting down and working out what will happen to your day-to-day operations for various scenarios in the event that you are hacked; you are locked out of your systems, you could lose control of your online presence, have your email compromised, etc. Work out the scale and operational risk of each and assign an order of importance to your organisation accordingly.
Understand how you’re likely to be affected and you can begin to work on how you deal with each scenario. This step of the process should involve all the roles and teams within your organisation who will be impacted and include the actions they’ll need to take in the immediate, short to medium and longer terms to get things back to normal as quickly as possible.
Armed with these insights, especially identifying what is most important to you, you can begin both to work with security experts (internal and external) to create a security road map that addresses your specific needs. Fixes, contingency plans and internal communications become easier and you’ll be more aware of threats and be able to act swiftly if the worst happens.
The key for all successful planning for the worst, security or otherwise, is not to start by discussing whether something can happen or how to prevent it but what the results are if it does go wrong. It’ll affect everyone so everyone should be involved in helping to prevent it.
As Einstein is reported to have said “If I had an hour to solve a problem I'd spend 55 minutes thinking about the problem and five minutes thinking about solutions.”
About the author
Gwilym is a co-founder of Appsecco, an application security company that provides pragmatic security advice to companies and organisations worldwide. Gwilym is a cybersecurity consultant at Foresight Communications Consultancy.
Prior to co-founding Appsecco, Gwilym built and ran a specialist web application development company that was sold to a UK PLC in 2012.
Gwilym is constantly told he should stop using the term Cyber Security (and completely understands why) but has yet to come up with a better one for non-technical people!