Britain acknowledges “you can’t beat ‘em” when it comes to data security breaches
The UK government has announced a joint initiative with private sector interests to promote cyber security insurance for all British businesses, according to IT Wire.
The report quotes MP Francis Maude, who is in charge of Britain’s Cyber Security Strategy, as saying that the effort is part of a move to “make sure the UK is viewed as one of the safest places in the world to do business online”.
While it’s interesting to see a government motivated to promote cyber insurance to the point where it’s practically mandatory to hold it, the key item of interest to us is the finding of the policy paper on which the government based its decision.
The document states that 81% of large businesses and 60% of small business in the UK suffered a security breach last year and the average cost of breaches has nearly doubled since 2013!
In short, the report says, “It’s not a case of if but when”. The nature of threats are evolving and traditional strategies to combat them are proving ineffective
The interconnected systems that we rely on everyday have vulnerabilities – more than 4,000 are discovered and addressed every year across Microsoft, Apple, Google, Oracle and other top industry players.
It’s simply impossible to produce a network that is connected to other networks, uses standard platforms, supports a mobile and dynamic workforce and is 100% secure. If it was, you wouldn’t know who Edward Snowden is.
So three things are apparent from the report.
1. You need to recognise and accept that even though your company might not store highly sensitive data or process credit cards, or have a worldwide profile like Sony, you could still fall victim to a breach and it could cost many thousands of dollars and lost days of productivity to remedy it. The companies surveyed for the report were not in one particular industry vertical.
Too many IT Managers and CEO’s still believe that they’re unlikely to be targeted because what they do is unimportant to financially or politically motivated attacks. But what if the breach is intended simply to disrupt, not to steal? Could your company afford to be inactive for 3 days?
2. To borrow from Orwell, “we are always at war”. Security is not a state we can achieve, we are always striving towards it and the finish line is always receding from us. So you must frequently assess the security of your network to minimise the chance of a breach, and be able to respond when it occurs.
3. The way to know how secure you are is to ask “how vulnerable are we, according to the most up-to-date information we have available?” You have to maintain a state of healthy paranoia and assume that someone is always out to breach your systems.
A good security plan encompasses Disaster Prevention and Recovery steps. In short, if you know the answers to these questions, you are well-placed compared to most businesses.
1. How exposed are you?
2. How fast can you bounce back?
3. What actions will be required in the event of a serious breach?
4. Does everyone know their role?
We are currently rolling-out a new Continuous Vulnerability Scanning service that addresses the first question. The remaining three are addressed by good security and business continuity processes and policy.
So, how prepared are you? Or do you even know where to begin?
James Walker
Update 2021- You can access Australia Cyber Security Strategy 2020 here https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy
