Breaches pose the biggest threat to modern business currently and seem to happen frequently with difficult consequences.
What is a breach, why they happen and what can you as a manager do to limit them.
This is non-techy article. This article seeks to help non technical managers understand the challenges faced by IT and Security teams and what can be done to shore up the holes by everyone.
This article provides a high level description of the hows and why of data security and what you can do to help.
- Tech Terms
- What you can do
[read more=”Read more” less=”Read less”]
Security is defined as the state of being free from danger or threat. The element of certainty is implied in the word. In business security is a desired outcome not a guarantee.
Security, like health, puts your mind at ease when everything is going well. It is a state, it can change. The second you are not secure or unhealthy the whole world changes. Breaches represent this kind of significant change.
Dr. Murphy, my GP, gave me a great example once which stuck.
I walked into my bathroom in the morning. I washed my face, brushed my teeth, did my morning routine and got ready for my day.
Upon leaving the bathroom I met my daughter in the hall as she was going into the bathroom. 5 seconds later there was a scream from the bathroom and my daughter came racing out.
The bathroom was completely unusable and a horrible place to be. There was a spider in there rendering the room unusable.
I had been in there for over 10 minutes and never noticed or minded. Two people’s perception of the same place are different by what we notice.
Security people are trained to see the spiders and deal with them before they become a more serious issue. The role requires you to think where are the spiders might be.
Change is inevitable consequently the greatest source of inspiration and threat. When things change spiders can get in.
You can’t stop all change as that would be to stop all phone calls, emails and ask the world not to change. It’s not going to happen you’re going to have to deal with it.
The dealing with it can be painless or painful. How much so is up to your preparation. If you know something could happen but you have a plan to deal with it, you make your life a lot easier.
A breach is when someone does something to your business. It is criminal. Even in this day and age shoplifting occurs. How do you guard a business against shop lifting?
From a physical point of view you can see someone in the shop. From a technical point of view how do you see someone shop lifting your data? Why would they bother? Some have good reasons, some just because.
These shoplifting events are breaches of the security of the businesses.
If you are securing a shop there are basic things you can do. Put security cameras in to watch people. Add tags to expensive items and put a door security check system in place. Lock up at night. In computer terms you have these mechanisms they just go by different names.
So you put common sense technical equipment in place but that doesn’t stop humans making mistakes. As the following example demonstrates even nice, physically secured people can make mistakes if there is someone attempting to do something nefarious.
The weakest link in systems that are secure are people and unfortunately the primary cause of breaches.
Risk and Insurance
So we acknowledge bad things are going to happen. The best thing we can do is plan for when they do go wrong.
A risk register is a listing of all the things that can go wrong.
It takes a devious mindset, someone who can see the spiders, to fill it out however as a result of this list you can help your business.
That list needs regular review.
It is possible to mitigate risk i.e. do something that would stop this risk from happening.
If you have a stairs in your house and a two year old who likes exploring putting a baby gate on the stairs to stop them hurting themselves is a sensible risk mitigation. The child may never climb the stairs but if they did and fell what are the consequences?
It is possible to mitigate the risk of breaches.
Real life planning in action
Let’s take a CTO who designs a piece of software and is the brains behind the software but is the only one who knows what’s going on with the software.
Is he a risk? You’re right he is and even he knows it.
So step 1, was to put in place key man insurance. If he goes sick the business has money to replace him with someone senior who can adapt quickly. Not a great solution but throwing money at a problem might help as a stop gap measure.
Adopting a better risk mitigation strategy was step 2, make sure there is someone else who gets to know how to do the main parts of his job so there is not a “single point of failure“. The CTO being the single point in this risk plan.
Step 3, get the CTO to write down everything he can to explain how it works, so that step 1 or step 2 would cover if he got sick and hadn’t got time to explain it to someone else.
In 2017 I was diagnosed with a malignant level 2 brain tumor. Cancer. In the business Patrick Jenkins who had been training as well as working for 4 years stepped into the position and took over. Two documents, an internal developers manual and public “How To” wikipedia provided support for issues not trained on. Patrick is amazing and very talented and was prepared for the role. The planning and preparation worked and the business adapted to significant change.
The planning our management team put in place protected our business. Of course change has consequences but not business ending ones.
Breaches are when a 3rd party has done something to your business and gotten inside your security. If it’s shoplifting data, money or doing something malicious to your business. It is a crime consequently called cyber crime as it happened in the world of computers not of people.
The seriousness of a breach is how badly it affects your business. Breaches affect your business in different ways.
Computer and data breaches are as damaging as an entire truck load of your goods going missing. On occasion the truck can be returned intact and the bad guys caught.
Other times your insurance can cover it. Sometimes with no insurance and no plan it can spell the end of your business.
Your job as a manager is to identify your risks. Get help if you can’t do it.
With the biggest risks identified, mitigate those risks as best you can.
Education is the strongest weapon in reducing risk. If people are aware of what can happen, everyone can help.
IT and security teams often are aware of the potential areas because like a physical building, technology mirrors physical real world ideas.
The front door
Imagine a normal office building in a big city.
- A person walks in the front door dressed in a hospital doctors uniform. Who let them that far?
- They get to a desk with a receptionist. The receptionist says, “Go on through?” with just a quick look at the person not checking anything else.
- The person walks into the office, stays 10 minutes without anyone checking and leaves again with a suitcase under their arm that they didn’t walk in with.
Would that be a risk?
In the land of computers
Computers have the same technology.
A firewall is the outside check of your building. It’s like a security guard at the front door. It only allows certain types of business into the building.
Ports are used to say “this is the type of business we want to do with your company”.
Only allow types you know you have to and you have shored up a ton of common sense things.
Firewall rule one might be “we only deal with doctors”. Excellent we have a check but our visitor still gets in.
The next level is that reception desk. Who are you and what can I do for you?
This is where your username and password comes in.
Whilst anyone can come up to the desk and say they are anyone their face kinda gives a second piece of information. Think about face, voice, personality and name as four different forms of Id.
Computers can’t see your face so that’s why we have username and password. Yes it can be faked but at least you checked.
The receptionist on the desk decides where you are or are not allowed to go. Our receptionist sees our guest and identifies him as Dr Murphy. “Good morning Dr. Murphy please go on through.”
A weak password or easily guessed password allows someone else pretend to be you. What do you have access to that could be lifted that would be damaging to the business or its reputation?
Now in the office Dr. Murphy has access to the whole floor.
- What restrictions are in place?
- Who is watching to see if he should / shouldn’t be there?
- Who can flag to security they see someone suspicious that they don’t recognise?
Inside a computer that’s very difficult but security permissions can restrict access. There are also reports which are available to security teams to sense check what people are doing.
Dr. Murphy has a valid reason to be in the office. He left his briefcase behind and was collecting it and doing some evening emails but without the security checks he could have been anybody.
The Mission Impossible movies specialise in showing how Tom Cruise can pretend to be anybody and how the team use technology to break into the most secure of places.
Not just computers are vulnerable, real places are too. This is the nature of managing breaches.
In computer terms there are a set of sense checks available in a number of ways.
COBIT (Control Objectives for Information and Related Technologies) is a general IT management approach which provides some great sense checks for your business including how to build your first risk register. PO (Plan and Organise) section 9 discuses assessing and managing IT risks.
The next really really useful one is ISO 27001 which has a few variants but that provides another set of checks and a different perspective. These checks give you a host of sense checks and some very out there ideas. Having been through numerous security audits in my life these checks are the backbone of modern computer security.
The paranoid of the paranoid in terms of security standard checks is the PCI suite of checks (Payment Card Industry). These checks are for managing money being taken from credit cards and other electronic forms of money movement. For a lot of business they’re overkill but it doesn’t hurt to aspire to having the best security.
You can implement a lot of the sense checks without overkill.
Within our means
“Within our means” is a vital phrase in this area. Building Fort Knox to run a hotdog stand would be silly. So there is a scale of what is reasonable to do and what is not.
This is why management have to be in on the discussions of what is a risk and what is not. It is not enough to just let the security department look after the rules as like the office example above, everyone is part of the security operation.
Thomas Glennon is a security manager who for years has managed and worked through these standards, putting in checks, balances and worked with operations to deliver vigilant security.
His monthly breakfast security briefings to the team keep everyone aware of the need for vigilance.
What you can do
If you have a breach and no plan
This is a tough spot. Whats done is done. You’ve had a breach and people are about to get wet.
You are in damage limitation rather than prevention. Moving quickly to prevent further breaches is essential.
- You need to explain to those affected by the breach it has happened
- Notify the Data Protection Commissioner or legal body of the country you operate in
- You need to shore up the hole so it can’t happen again.
- Prepare a report to show how and the why it happened and how it won’t happen this way again.
This is a Security, Education and Public Relations situation and will be very stressful for everyone.
External help can really help like getting a lawyer when you’re arrested. External consultants are clear headed and not emotive and will help your business greatly.
If you haven’t had a breach yet
Now that you understand the terms
- Make a risk register if you don’t have one
- Review it once a month at your monthly management meetings
- Prioritise your biggest risks
- Develop a plan on what to do if each item happens
- Write down the plans so you can follow the plan unemotionally if it does happen.
Get professionals to help you see the spiders in your bathroom and save yourself some breaches you could have avoided.