Focus on Cyber Security
Is cyber insurance needed today or is it not a necessity? Find out how this could be a risk to supply chains and other key areas.
Over the last decade, the evolution from standalone analogue security systems to IP networked systems has given rise to an increasing focus on cyber security. As we move towards a true Internet of Things (IoT), every system, device and piece of hardware or software represents a potential point of vulnerability.
Meet Jo, an expert with strategic advice in the security industry
In this, the second in a special three-part series brought to you by the security exhibition and conference, we speak with Jo Stewart-Rattray. Jo is a member of the ISACA (Information Systems Audit and Control Association) Information Security Advisory Board and a director of technology and security assurance with BRM Advisory. She has more than 25 years of experience in the security industry and consults on risk and technology issues with a particular emphasis on governance and IT security in the business. Jo regularly provides strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing, and tertiary education, retail and government sectors.
What is the risk against supply chains for the security industry?
According to Jo, one of the most notable cyber security challenges right now is supply chain risks – especially in light of the current conflict between Russia and Ukraine. Who are your suppliers? Who are your customers? Where do those organisations have their roots? Could those connections make them a potential target for cyberattacks, and if so, what impact might that have on your business?
Jo believes the other big question most organisations need to be asking is whether or not they have cyber insurance. “I’m hearing some of my colleagues say that they’re quarantining off money, putting it into short-term deposits rather than take out cyber insurance because there are co-payments involved and all sorts of things, and a lot of underwriters are simply saying, “No, we will not ensure you”. So if you are in a high-risk industry, your current insurance may not cover you. And if you are insured and the worst happens, and you do have some breach, there is a distinct possibility they may not pay the claims. From a business perspective, that is a real concern for both boards and CISOs (Chief Information Security Officers) alike.”
Much like good physical security, according to Jo, good cyber security is about doing all you can to identify existing and emerging threats and then taking every possible action to mitigate those threats.
“You need to be running scans. You need to know where the potential vulnerabilities in your networks are. You need to be looking at advisories. You also need to get external, independent, third parties to correlate with what you’re doing. Don’t just run a single tool; make sure you have the best security alerting and monitoring systems in place that you can afford. Furthermore, make sure that if you receive an alert, you actually do something about it.
It is also imperative that everyone in your organisation, from the most senior levels all the way through to the most junior level, is aware of their rights, roles and responsibilities concerning security. Organisations also need to monitor and report on potentially risky ‘click behaviour’ and then counteract that through things like security education. It’s all very well to have a phishing button on emails, but there has to be some sort of feedback mechanism for the individual who’s actually bothering to report potential threats. If they think no one is listening, then they will stop reporting.
How is it possible for businesses to overcome this risk?
For many organisations, their greatest cyber security challenge will be understanding how to do the most with the limited resources available. Joe believes the key to overcoming this challenge is to have a proper understanding of what you are trying to protect.
“Are you protecting a hundred bucks worth of data and spending a thousand dollars to do it? That’s not good economics and you could actually spend your security buck a little bit better. It’s about understanding what you have to protect, therefore setting the expectation of how much you should be spending to protect it.” Regardless of how big or small an organization might be, Joe believes one of the most important cyber security functions you can engage in is active monitoring.
“We absolutely need to have the tools, the platforms in place to monitor. We need to also make sure that we’re actually looking at those alerts and doing something with them. It’s really important. It is also important to ensure that you are not just monitoring the organisation’s perimeter. You also need to monitor what is happening within your network. What does your environment actually look like? What’s the anomalous traffic that’s coming across your network? Do we actually know what’s on our network or traversing our network? That’s the important part. Do you have HVAC systems that have somehow miraculously turned up on your network? What about CCTV? What about swipe cards? What about vaccine fridges, which are topical today. All of these things that actually connect to the Internet in some way, need to be monitored. What are they doing? Who or what are they talking to? Where are they sending data?”
In closing, I asked Joe what she felt were the emerging security threats and challenges that needed to be watched. Her response was simple, there are no crystal balls in cyber security. Threats evolve quickly, challenges shift constantly. The best thing you can do is something because something is better than nothing. Perhaps most importantly, make sure the basics are covered and done well because.
And last but not least, “The most important thing is to make sure that the senior part of the organisation is aware of what you need and what you do. I think education and communication are the most important things that a CISO does in an organisation, because you have to do that at all levels.
With cyber security becoming more and more important in the security industry, now is the time to showcase your products and find new suppliers. To find out more about exhibiting at Security Exhibition & Conference, get in touch with a member of our team here.