- Security TWENTY Home
- Women in Security Awards
There’s no such thing as an accident when it comes to security, writes Geoff Webb, Vice President – Strategy, at the software company Micro Focus.
Mistakes, neglect, lack of preparation, maybe. But no accidents. That may seem cynical, but if you had seen the security issues I have over the last 20 years, you’d feel the same. The problem is that we’ve all been conditioned to believe that there are millions of cybercriminals out there trying to steal our identity or take down our businesses. Don’t get me wrong, the prevalence of cybercrime has increased significantly over the past decade, but it is not the only threat.
Let’s take the recent outage of British Airways’ IT systems that left a lot of flights up in the air – or rather grounded – across the bank holiday weekend. From an early stage, the company was at pains to reassure the public that the outage was not caused by a cyber-attack. Why? Because increasingly that is the assumption. After all, it did hit only two weeks after the WannaCry ransomware attack impacted well-known businesses across 150 countries – from the NHS to Nissan and FedEx.
While you would be forgiven for thinking that it was a scream-masked cybergang, the outage was down to an internal failure at BA. At the outset, experts speculated that it was a result of anything from an unexpected power surge to the outcome of outsourcing IT to India – either way BA kept very quiet about it initially. I suspect this is because they know it could have been prevented.
Research by Barclaycard found that small businesses are more concerned about the threat of cybercrime than they are about Brexit, with plans to invest more than £3.8bn in firewalls, security software and other defences over the next 12 months. Data is the lifeblood of any business, especially small firms, but the issue of security shouldn’t be about potential external threats. The truth is most vulnerabilities exist within the company. And hackers know that. If businesses are able to spot weaknesses before a hacker does, they will always be one step ahead.
Striking a balance
One of the biggest issues organisations face is how to balance innovation with business continuity. Business leaders are under a huge amount of pressure to respond more quickly to enable business innovation, while at the same time working with IT to ensure the company’s foundation is a stable, secure, compliant and predictable IT environment. And as a business grows, so does its exposure to threats.
As a result, modern IT systems have to be more complex. While businesses work hard to make them as robust as possible, constantly innovating that complexity introduces an element of fragility and unpredictability that can be difficult to manage.
Security cannot come at the expense of innovation. Adopting disruptive technology like the Internet of Things or cloud environments can certainly help as IT teams can more easily integrate them into existing business processes. This ensures more customer services and products can be delivered rapidly – without risking exposure to threats. To stay relevant and compete in this digital-first world, CIOs need to focus on developing innovative business services that are built on the organisation’s existing IT foundation and layered with new delivery models and platforms. In practice, it’s bridging the old and the new, enabling an organisation to innovate faster at lower risk. Thankfully, without the need to rip and replace legacy applications.
As a starting point, here are three things you should consider as you are building your business strategy:
– Patch, Patch, Patch: At a basic level, organisations should automate patches and fixes for frequently used software. It’s one of the main reasons WannaCry hit so many people – companies didn’t implement a patch released by Microsoft two months prior to the attack.
– Fix it before it breaks: Any system that has been dormant or not failed in a while should be looked at immediately. There isn’t enough experience working around potential issues or bugs it may have so if a threat strikes, the company will already be on the back foot.
– Stay agile, mitigate risk: This means getting better insight into the impact any changes to systems and services will have on the wider business. Organisations will need to have true business agility to achieve the competitive advantage they need to survive and thrive.
Even with all of that in mind, systems can – and will – fail. Murphy’s Law applies to technology every bit as much as it does to any other human endeavour. The best approach is often to build in as much resilience as possible. That is, to assume that a system will fail, but make sure the rest of the infrastructure won’t collapse under that pressure. Businesses must be able to keep the lights on while a fix is worked on.
Netflix has taken on this approach beautifully. Using the impressive Chaos Monkey technology, Netflix is able to switch off applications as needed and when a suspected threat arises – all automated, all behind the scenes and all of the time. That’s the balance every business should strive to reach. Those that can move more quickly will erode market share, steal customers and capture opportunities that threaten their competition’s survival – just ask Blockbuster! So the next time the issue of security arises, business leaders should take a magnifying glass to their organisation’s operations before claiming cybercrime is the biggest threat to their survival.