Templar Executives maps out the cyber security landscape
Beware of ransomware, says Templar Executives CEO Andrew Fitzmaurice, as he charts the cyber security landscape for 2016
Transcript
Cyber attacks have risen to the top of the agenda for both the private and public sphere. Andrew Fitzmaurice of cyber security business Templar Executives maps out the biggest threats, and explains how businesses can improve their cyber security.
European CEO: Cyber attacks have risen to the top of the agenda for both the private and public sphere. Here to shed insight on how to mitigate risk is Andrew Fitzmaurice of Templar Executives.
Well Andrew, let’s start with the threat landscape: what does this entail, exactly?
Andrew Fitzmaurice: Well, this is a very complex landscape, and it’s very difficult for businesses and organisations to actually understand the panoply of threats out there.
So if we start with the governmental one, which are foreign intelligence services. They’re there for espionage and commercial gain.
We then have organised crime, which over time has become far more prevalent and far more capable. And they’re the ones that really do undermine business in terms of the balance sheet and cyber fraud.
And then we have people, and people come in a number of flavours.
The first one is the accidental insider threat. Somebody who makes a mistake – for instance, emailing the strategy to the competitors.
Then we have the malicious insider. Someone who no longer wishes to belong to that company or organisation, and goes from being a team player, to very much what’s in it for me, what can I get out of it?
And the third is hacktivists – they’ve been made famous by Julian Assange and Wikileaks. And these are people who are quite often driven by ideology, not necessarily financial gain.
And the last bit is actually something that people don’t think about, and that’s environmental. So, where you site your data centres, where you site relay stations, and how you control your information, can be affected by environmental things.
European CEO: And what are the key inclusions that a robust cyber security programme would entail?
Andrew Fitzmaurice: It’s everything from HR – from the levers, movers, and joiners – all the way through to the ICT. Ensuring that you are able to defend your networks, that the network architecture is proportionate to your business and to what you’re trying to defend.
So you have to take this holistic approach – the people, the processes, and the culture.
Just for instance, there’s over a million new pieces of malware every day. 366 million new bits of malware per year. And therefore we advocate a maturity approach: adopting a framework such as the information assurance maturity model, which the UK uses, or NIST, which the US uses; which demands constant improvement, continuous improvement. And therefore you never rest on your laurels, and you’re always trying to get better and better.
European CEO: So in terms of emerging cyber security threats, what sorts of things should people be aware of?
Andrew Fitzmaurice: Well, we have seen quite a lot of emergent threats, but actually based primarily on some old themes.
In the old days, if you wanted to extort money from a family, you used to kidnap somebody and ransom them. And now it’s people’s data they’re doing that with.
And we’ve seen the number of instances of ransomware – that’s what it’s called – go up around 113 percent.
And this is basically where your data gets hijacked, encrypted, and you have to pay to have your data back.
When we talk about large corporates, and some of the really critical information assets they hold, the ransoms could be for lots of money.
European CEO: Well why do you think so many companies struggle to deal with this?
Andrew Fitzmaurice: So, I think a lot of it is in the language that’s used. If you use the term ‘security’, it switches people off. Whereas for us, it’s very much about enhancing business, and making it work for you. So when we talk to boards, we don’t talk so much about security. We say, if you’re not good about security, we can help you be better. But for us it’s about business information superiority. About getting that competitive advantage.
European CEO: So finally, how can companies really educate themselves about this issue?
Andrew Fitzmaurice: Well that’s a very interesting point. Education is absolutely vital for the success of both public sector and private sector organisations. And it really has to start at the top.
There’s quite a lot of education around the board piece. Not just the threats, but the opportunities that this offers.
But going down through the organisation, you next have those people looking after those critical business assets we’ve spoken about. And it’s really important they understand the threats to those assets – again, how to look after them properly, but also how to exploit them, to meet the business outcomes of the organisation. Again, whether it be in the public or private sector.
And then going down to the general workforce. A lot of this workforce will know about the internet, and will know about cyberspace. But they may not know about security. And from this point security means making sure they become valued members of the organisation, by adopting the appropriate behaviours, and having that sort of cultural and educational piece is really important.
And we would start by saying to them, and looking at them as individuals, and saying, ‘You’re online, your children are online. Here’s some information about how to stay safe on Facebook, to ensure that other people can’t get access to your profiles.’ And those sorts of educational points are really important. And that then helps to breed the maturity, and the mature approach, and the constant and continuous improvement I was talking about earlier.
For more information visit Templar Executives or email enquiries@templarexecs.com