It’s Business Continuity Awareness Week — are you sitting comfortably? You might not be if you’ve read all the articles about taking cyber security to the next level, or what is now known as cyber resilience.
Having been in the business of continuity, crisis management and disaster recovery for more than 15 years, I welcome this extension. I blogged on some of the risks associated with the cyber world almost two years ago, and the accelerating pace of data breaches keeps this in very sharp focus.
But how does cyber resilience manifest itself? How can you start to make yourself - not just your business - impervious to a cyber attack?
The first thing is to assess vulnerability and impact. What would be the outcome of some or all of your online credentials being compromised? How would you know, how would you cope, what would you do? Focusing on the impact (or outcome) rather than simply the risk helps make it a more personal and thorough assessment.
The question “How would you know?” is particularly interesting. How many people have ever done an internet search for their name to see what pops up? Many would be astonished at what is listed and publicly available! If you still use your mother’s maiden name or a date of birth as one of your password keys, you’ll rapidly learn how easy it is to find this information online, which is certainly a motivator to change those password keys. Information is an asset and should be treated in the same way as physical assets.
The key to continuity is contingency — having a back-up plan for when things go wrong. You may have a torch or some candles and matches in case of a power failure at home, or a back-up generator for the same eventuality at work. The same idea applies in an online context. Many of us have more than one internet-enabled device, phone, email account, social media presence or online payment means. Some of this is down to choice, some out of practicality (such as the need to keep business and personal matters separate), but a great deal of this inherent contingency is based upon an insatiable desire to remain connected, available, enabled, vital.
But just having more (devices or greater connectivity) doesn’t really mean you’re better protected. Some years ago a national emergency services telephone number became interrupted and unavailable as a result of a contractor cutting through the main cabling by accident. Many experts considered this impossible because it was believed that there was a fully redundant separate cabling. The problem was that the contractor had struck at a point which fed both the master and the back-up communications system – essentially further back up the value chain.
The same risk is true for cyber security. If your protection has a single point of failure — a common key or password that applies, sometimes but not often with limited variability, to most online accounts — you’re in trobule. Once that security is compromised — whether accidentally through inadvertent disclosure or malware, or deliberately as a consequence of social engineering or careless practice — a cyber crook can access your most personal and sensitive details across multiple points. This is a case of the general public seeing convenience as far more important than robust and layered security, despite fears of identity theft.
So what is the answer? The public hate needing different passwords or codes but until there is a fully robust and interoperable means of authentication this is vital. And this is where resilience comes into its own: If the public cannot or will not comprehensively secure their data, they must instead take steps to adequately withstand its disclosure should compromise arise.
One of the key principles of data protection is to render data useless, generally meaning that information is only relevant and current for the purposes of use and access at, or very near, the point of disclosure, and thereafter becomes worthless. That state is some way off in today's open cyber society, but the ability to consciously withstand attack, compromise or maltreatment of sensitive and personal data is an important step.
Just how resilient are you and your customers? The industry is trying to raise awareness of cyber security issues with the younger generation. The same lessons apply to us more mature (silver) surfers!