Published on Thursday, July 18, 2019 - 15:54 by Martin Fletcher
Ladies and Gentlemen, it turns out that wizards are real and they’re after your data. Or so newspapers and comms departments would have you believe.
Bulgaria’s NRA tax agency is facing a potential fine of up to €20 million in the wake of a data breach that compromised the records of nearly every working adult in the country. Potentially up to 7 million individuals.
The response from the country’s Prime Minister, is that the individual responsible is a “Wizard” hacker, who carried out a highly sophisticated attack on the NRA system.
Cybersecurity experts have been quick to take a different line saying; “The reason for the success of the attack does not seem to be the sophistication of the hacker, but rather poor security practices at the NRA.”
It’s understandable why a newspapers and comms teams will resort to hyperbole in the event of an incident like this. Afterall wizards sell papers, and no organisation wants to admit to being stitched up due to basic security flaws.
However, this kind of language has the potential to encourage a harmful attitude to security and information management within organisations. If your senior decision makers buy into the myth that hackers are shadowy “Mr Robot” types with God-Like powers, then it can develop a culture of despondency at the top of the business that acts as a blocker against taking steps to protect your key assets.
When communicating with the business, it is important to use language that explains the threat in a meaningful way. Encourage the company to get back to basics and implement prudent measures that will deter most opportunistic attacks.
The key steps for your board to understand
Understand the threats
The cyber threat to our information can come from a range of individuals and organisations, including:
Security experts can also provide the board with an outline of common tactics used. These include:
Decide what matters
All activities undertaken by an organisation will involve an element of risk. It is therefore important that information risks are recorded and managed.
Firstly, board members need to be able to identify the information and data which would cause serious damage if it was lost – their crown jewel information assets. Personally I’d say 7 million people’s tax records is pretty key to the NRA’s work.
They should then consider the threats to these assets and the most likely ways that data may be lost. The National Cybersecurity Centre’s ten steps to cybersecurity can help identify potential vulnerabilities in the organisation.
Finally, the board should be involved in the development of a corporate level risk appetite – that is, the amount of risk that the organisation is willing to take on in order to get work done. Organisations that hold large amounts of sensitive data are likely to have a lower tolerance for risk than those with information that would be less damaging if it were released.
In response to the risk assessment the board must then develop a strategy to manage their information risks, assisted by a range of roles including security experts, Knowledge and Information Management (KIM) professionals and departmental heads of service.
It is important that the board set the tone from the top and that once policies have been devised they are seen to be following them. The biggest factor in whether an organisation tightens up its security culture is if the staff lower down the hierarchy can see the senior management team taking the issue seriously.
Another important part of developing a secure culture is listening to staff and their concerns. A policy that sounds sensible while it is being developed may turn out not to be very practical when applied by front-line staff. It is therefore important to monitor the effectiveness of strategies, and also to tell staff why they are expected to comply with secure practices. If people don’t know why they are being asked to do something they may develop their own insecure workarounds, introducing risks that the security professionals are not aware of. Awareness-raising materials produced by organisations including the Information Commissioners Office, National Cybersecurity Centre and Centre for Protection of National Infrastructure can help with this.
It's not about wizards and magic boxes
The cyber threat to an organisation, like any other threat to assets is just a question of risk management. By taking simple steps, the board can help to define the risk appetite of the organisation and approve measures to protect key assets.
Let the wizards get on with what they’re good at, playing Quidditch and battling dragons. In the real world, lets get on with dealing with people and protecting what matters to our organisations.