Building better cyber security in organisations

A speech given by Alex Webling to the opening of Z-CERT, the Hague, Netherlands, January 2018

Building better cyber security strategy in organisations

The opening of Z-CERT is an important development in the protection of the Netherland’s health care system. I wish you all the good fortune in the world.

Z-CERT launch
launching the Z-CERT website

When I started working in cybersecurity for the Australian Government in 2002, the world was a different place.

For one thing, we called it electronic security and mostly it was a small extension of the great game of espionage played between nation states. We focussed almost exclusively on keeping our information confidential.

However, even then, we realised that in order to keep our systems and citizens secure, we’d have to collaborate with like-minded countries and the Netherlands was top of my list.

I have continued to admire the Dutch, because I think that you tend to be quite pragmatic in your approach to problems. Solving the issues related to cyber security and privacy are no different

The cyber landscape has continued to evolve quickly under our feet and the need to collaborate and share best practice has only accelerated.

“If you think technology can solve all your security problems, then you don’t understand the problems and you don’t understand the technology”  Bruce Schneier

I think you all know that the information age is upon us and has been for some time. This year, like the last, and the one before will bring more connectivity, digital transformation initiatives, and data for organisations and their human operators to handle.

The opportunities this information age brings are amazing.

All organisations, not least health providers are focussed on getting the right information to the right people at the right time, and avoiding the wrong people accessing it too.

This is an incredibly difficult task. Getting it right, relies on judgement and experience. It is becoming increasingly difficult to achieve. Information travels at the speed of light, but we can’t think that fast.

Just think:
unlike any previous time in human history, information has become very expensive to delete as well as to create.

Within a couple of generations, many organisations have moved from paper records to electronic ones. Access to electronic information brings so many benefits for the health professional.

But there is also a dark side.

With the opportunities come the threats. Threats to privacy, reputation, financial status and also to patient outcomes.

More tools developed by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malicious software or steal data.

Estimates are that ransomware cost victims 2billion Euros in 2017, twice as much as in 2016.

Meanwhile others have predicted global losses from another growing trend, compromised business email scams, will exceed 9billion Euros next year.

With the advent of the GDPR in less than five months, the financial penalties if data protection goes wrong are about to get much more serious. GDPR fines will be up to 20 million Euros or 4% of annual turnover (whichever is higher).

The cost is not just monetary, NHS hospitals in the United Kingdom were hit by the ransomware cyberattack WannaCry, delaying surgery for patients. The potential for things to get much worse is real.

Opportunities and Threats

Yet, the opportunities are so great, that organisations have no choice but to manage the threats that the information age brings.

So the key point of this talk is:

Good information security is dependent on dynamic organisational governance of cyber security.

An Information Security Management System can help organisations become resilient to the dynamic threat

What is it?

So what is an Information Security Management System or ISMS and how can it help me and my organisation?

To answer that, we need to look at three questions

  1. Why should my organisation care about cyber security?
  2. Who is responsible for organisational cyber security?
  3. What does good cyber security look like?

Because I have found that many senior executives find it difficult to answer these questions for themselves and I’m going to give you good reasons to take back to your organisations to make change happen.

Why should my organisation care about cybersecurity?

Your organisation is an information business

At the risk of repeating myself, whatever else it does, your organisation is an information business. Information is the lifeblood of a modern organisation. A cyber attack can mean your organisation’s information goes to the wrong people, is changed or is removed. Even worse, you may not even know this has happened for months.

The legislative and regulatory environment will continue to become more stringent as the cyber threat increases

eg GDPR

The GDPR is not the first regulation to place responsibility on organisations for protection of specific data. The introduction of the GDPR is part of an ongoing trend for legislation and regulation striving to catch up with the changes in technology and society that the information age has brought us.

You are probably aware that as early as 1995, the European Council adopted the Data Protection Directive which aimed to protect individuals’ personal electronic data.

PCI DSS does this for credit card information around the world. The Health Insurance Portability and Accountability Act (HIPAA) did this for personal health information in the USA.

GDPR requires organisations to map their personal information holdings. But mapping under GDPR is not just another classification exercise. It also requires the organisation to correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the personal data content; it’s also essential to know the context of the data because the organisation is the steward of the information, not the owner.

The increasing reputational and financial damage suffered by organisations that are hacked

In many ways this is related to the previous point. The outrage that the public expresses every time another organisation loses their data is growing.

Some organisations have tried to hide that they have been hacked. Uber and Equifax are alleged to have done this, but any conspiracy is almost always revealed quickly. Mandatory reporting provisions are putting increased pressure on organisations to reveal breaches quickly and to show how organisations are dealing with cyber events

Where this doesn’t happen, the public is voting with their feet. This is having direct impacts on the tenure of leaders, CEOs and boards. For listed companies, it is impacting their share value directly.

When the GDPR comes into force in May this year, to repeat for emphasis, fines of up to 4% of the organisational turnover are possible where organisations are shown to be negligent in the protection of EU citizen’s personal information. This will be a very significant increase over the previous regimes.

Who is responsible for cyber security

This one’s easy.

It is the owner of the cyber risk

That’s the board or CEO of the organisation. These are the people that regulators are increasingly targeting when things go seriously wrong.

It is not the ICT manager, the CIO, or the security manager. The decisions on how much cyber risk the organisation should take comes down to the CEO and Board. The organisation leader needs to make those decisions in an informed manner that balances relevant stakeholders’ perspectives.

Goldilocks Security

I call it ‘Goldilocks Security’ – that which is just right for the organisation, not too much and not too little.

Goldilocks security is different for different organisations. Cybersecurity is a series of tradeoffs between the confidentiality of information, its integrity and its availability.

If you think about it: The most secure information is completely inaccessible to all and pretty useless.

There needs to be a balance.

How does the board and CEO become informed about cyber risk?

They use experts who understand the threats, vulnerabilities and consequences of cyber attack, and communicate in business-ese to the board, but they retain the decision making for themselves.

Time to move away from the word ‘Cyber’

By the way this is probably the time to tell you that I don’t really like the word ‘cybersecurity’, and prefer the term ‘information security’.

Cyber tends to make people think only of computers and networks. This then can lead to the responsibility for cyber being put solely on the shoulders of the CIO or ICT manager.

Words Matter – and as hard as it is to change the way we talk, we need to make the change.

We have to continually remind ourselves that people are both the central cause and the primary victims of information security attacks.

Weaknesses in human behaviour are still one of the easiest ways of compromising any organisation.

What does good security look like?

So now we get to the crux of the matter.

Good organisational cybersecurity is tested, systematic and repeatable, however, for many organisations it is anything but like this!

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

This requires a certain amount of bravery on the part of executives.

Unfortunately, our experience is that many organisations need a compelling event, such as a major breach, before they take cyber security seriously. However, it doesn’t have to be this way for change to happen.

The organisational leadership can create an Information Security Management System or ISMS.

The Information Security Management System (ISMS)

An ISMS is a set of better practice, policies and procedures for systematically managing an organisation’s information.

The ISMS operates by identifying, assessing and managing information security risks resulting from internal and external threats exploiting the organisation’s vulnerabilities.

The goal of an ISMS is to

  • manage the risk of a cyber event occurring on an ongoing basis in a holistic manner; and
  • minimise the impact on the organisation if and when a cyber event occurs.

A Strategic Decision

Implementing an ISMS is a strategic decision for the organisation. Implementation requires CEO and Board commitment – because they own the risk.

At the strategic level, the CEO / Board create an ISMS committee which has responsibility for the organisation’s information security. The committee meets regularly and oversights the development of a structured approach for organisations to develop better enterprise security by dynamically monitoring and improving information security effectiveness.

Cyber risks are assessed at a holistic level. Sometimes, the organisational leadership will decide to take more cyber risk in order to achieve a business objective. The important thing is that it is done with full knowledge of the risk – both positive and negative.

When the ISMS committee operates in this manner, the organisational cybersecurity stance evolves to meet the increasing threat and the organisational business needs.

Minimising the impact of a cyber event. Or…. You will be compromised

I mentioned before that information security is all about tradeoffs. Tradeoffs between your people being able to access the information they need to do their jobs – availability. Tradeoffs that information is correct – integrity. Tradeoffs that information doesn’t fall into the wrong hands – confidentiality.

It is a legacy of the old cyber security thought that many security people worry more about information confidentiality than integrity and availability, rather than worrying about what the business needs to achieve its objectives.

Bringing information security to the board level, means that decisions about tradeoffs must be made, particularly in tight fiscal environments.

Sometimes it will go wrong….

Even with an ISMS in place, there is always a risk that an information security event occurs. When it does, the organisation must respond. Good cyber response involves much more than the ICT area.

Whilst the technical response is occurring, the organisation needs to work out how to respond to stakeholders, what if anything to report to authorities etc.

One of the key aspects of the GDPR, as I’ve mentioned earlier is the mandatory reporting of data breaches. An ISMS brings together key stakeholders to consider risks, including the data protection officer, who can consider the impact of a breach from a GDPR perspective and advise the organisational leadership about the implications, if any.

However, like a fire drill, cyber response needs to be practised.

A smooth response to an event can minimise the impact on the organisation significantly. In my experience, the technical response to cyber incidents works better than the non-technical response, simply because the techs are responding to minor incidents day in and day out, but for other parts of the organisation, it is not their day job.

Recovering (more) gracefully

There are multiple examples (eg Uber, Equifax) of companies handling data breaches badly. However, here’s a case of one that was handled well from a public relations perspective.

In Australia, the Red Cross Blood Bank was compromised in 2016. Over 500,000 blood donors’ personal information was exposed publicly.

At that time, it was not mandatory to report breaches of personal information.

However, the Red Cross was proactive in informing the public and the Australian Privacy Commissioner. In doing so, Red Cross made the best out of a bad situation by displaying transparency and showing that they were doing their best to fix the problems.

By getting on the front foot, the Red Cross maintained the public’s trust in the blood system.

http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach

In summary

Why should my organisation care about cybersecurity?

Care because your business is information (whatever your business)

  • Your business is information
  • The GDPR is just the next step in a global tightening of Legislation and Regulation for organisations operating in cyberspace.
  • If you don’t play by the rules and you get caught, your reputation and finances will suffer

Who is responsible for cyber security

  • The owner of the risk, generally the CEO, Agency Head or Board
  • The CEO needs to make informed decisions about how much security is just right – Goldilocks security
  • Your security and ICT people help the leadership make informed decisions. They need to translate geek-speak into business-ese

What does good security look like

• An information security management system is recognised as the better practice for information security and is eminently applicable to the data protection requirements of the GDPR.

• An ISMS evolves continuously to meet the changing risks. It is not ‘set and forget’ and only works if the risk owner engages with it.

• You will be compromised. Practice your cyber response at the organisational level, not the ICT level.

CONCLUSION

We are well into the information age. Information is the lifeblood of the organisation. The days when somebody from IT was responsible for cybersecurity are long past.

Executives responsible for organisational success must take ownership for cyber security. Cyber is just another risk category like finance.

Establishing and running an information security management system is recognised as the best way to manage and balance information security and privacy risks for organisations.

A well run ISMS helps the organisational leadership understand the value of its information and take advantage of the opportunities of the information age as well as reducing the downside risk.

The GDPR is part of a continuum of regulation that will force organisations to design security for citizen data across its entire lifecycle into their processes. The provisions relate not only to technology, but also to policies and employee behaviour. The policies and practices that are instituted to meet the requirements of the GDPR can also be applied to improve information security across the whole organisation.

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

You have the power to make cybersecurity happen in your organisation. Start today, by creating your information security management system board. Make sure that the CEO is at the table. Keep the scope small and manageable whilst you learn by doing.

Looking at the risks associated with GDPR would be ideal if your organisation hasn’t started. Once you understand what you’re doing, start expanding the scope.

 


Alex travelled to the Netherlands as a guest of Z-CERT, the Dutch Computer Emergency Response Team for healthcare (Zorg)  in January 2018.

Z-CERT’s website is https://www.z-cert.nl/ 

 

GDPR is on its way

GDPR is on its way

On 25 May 2018, GDPR comes into force. Any company that does business with EU members needs to be in full compliance with the EU’s General Data Protection Regulation (GDPR). This requires them to take specific steps to more securely collect, store and use personal information.

For many organisations, time is running out……

GDPR has big teeth

Companies not meeting the GDPR this time next year face significant fines for indiscretions.

For example, NCC Group came up with a model that took fines actually imposed for privacy breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR. Under the model, British companies that were penalised for breaches last year could have faced fines totaling $112m AUD under GDPR, rather than the $1524m AUD they had to pay. That’s an order of magnitude larger.

Extrapolating the modelling.

  • The 2016 fine for the data breach of Talk Talk seems small compared to what it might be under GDPR. Talk Talk got whacked last year with the biggest fine ever in the UK for a data breach $693,000 AUD. NCC calculated that Talk Talk’s fine under the GDPR would have been an eye-watering $102 million.
  • Pharmacy2U, sold personal details, including medical related information, to a lottery company. It was fined $225,000 by the UK information commissioner in 2015. NPP’s modelling indicates that it would have instead faced a much steeper fine of $7.6 million under GDPR.

Those are large $$$, especially in light of a report from earlier this year by (ISC)2’s EMEA council, which covers Europe, the Middle East and Africa. According to the (ISC)2, companies aren’t doing at all well. The familiar mantra is

“Time is running out”.

The (ISC)2 EMEA council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.

Meanwhile, a recent report by UK company Crown Records Management found,  nearly one in four UK businesses surveyed said they had stopped preparing for GDPR. In fact 44% saying they didn’t think GDPR would apply to them once the UK divorces the EU sometime in 2019 post Brexit. There are two problems with this line of thinking. Firstly, in the short-term, businesses will still need to meet the GDPR whilst the UK is part of the UK; and secondly, unless there is a complete change in trading relationships, the EU will remain the UK’s biggest export market.

SMEs are not immune

Another point of uncertainty for companies is about size. Unlike Australia. where there is effectively a privacy carve out most small companies, the GDPR requires that any company doing business in the EU more securely collect, store and use personal information. So, smaller companies face fines for violations that might occur.

That said, the regulation accounts for the fact that smaller businesses lack the resources of the big guys. The Bytestart UK small business portal gives some advice for SMEs on what they need to know about the GDPR. They make four points:

  • Firms of a certain size (over 250 employees) must employ a Data Protection Officer (DPO). This person ensures that a business collects and secures personal data responsibly. Smaller firms may have to as well if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects”
  • Mandatory Reporting – Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but certainly within 72 hours.
  • Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
  • Failure to comply with the GDPR will lead to heavier punishments than previously. The GDPR will be able to fine up to 20 million Euros or 4% of annual turnover (whichever is higher).

So what?

Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies that want to trade with the EU must take to be ready for 25 May 2018. Australian and New Zealand companies are in this boat, not only those in Brexit Britain. We’ve written previously about how the decisions in the EU and USA on privacy affect Australia. It is likely that this will be much the same.

Ireland’s Office of the Data Protection Commissioner has produced a checklist which is quite good. We’ve found this list to be particularly helpful with our clients.

  1. Become aware.
  2. Become accountable.
  3. Communicate with staff and service users.
  4. Protect personal privacy rights.
  5. Review how access rights might change.
  6. identify your legal basis for carrying out processes and document it.
  7. Ensure you are using customer consent as grounds to process data.
  8. Process children’s data extra carefully.
  9. Have a plan to report breaches.
  10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default.
  11. Consider data protection officers.
  12. Understand International Organisations and the GDPR.

How to approach GDPR compliance

GDPR is just another project. These are some milestones that your organisation might consider so that it can be ready for 25 May 2018

  • Executive Support and Awareness in place
  • Project Plan and Budget
  • User Awareness
  • Appoint a Digital Protection Officer
  • Identify privacy information holdings
  • Update Privacy Notices
  • Revise Data Protection Policies
  • Re-examine Information Sharing Agreements
  • Develop and accept at an organisational level Privacy Impact Assessments
  • Identify cross-border transfers
  • Establish a Data Subject Rights Management protocol
  • Ensure “Privacy by Design” is implemented into the Organisational Project Methodology

More resources

The EU has created a GDPR portal which gives a countdown until enforcement, and more importantly FAQs about how to prepare

http://www.eugdpr.org/

There is a lot of guidance available from the UK Information Commissioners’ Office

https://ico.org.uk/for-organisations/

Also useful

http://cfsystems.biz/wp-content/uploads/2016/11/Preparing_for_the_General_Data_Protection_Regulation_-_White_Paper.pdf

 

Enterprise Security and the tragedy of Orlando

Enterprise Security and the tragedy of Orlando

On hearing about the horrific events last weekend in Florida USA, I was saddened first and then struck by the bitter irony that these murders occurred in Orlando. Maybe it’s just me, but I was reminded that the magical central character played by Tilda Swinton in the movie Orlando transitions his gender and Orlando, Florida, USA the home of Disneyworld is billed as the happiest place on earth.

Whether or not the tragic and horrific murder that occurred in the Pulse nightclub in Orlando on 12 June is a hate crime on the LGBT community, a terrorist attack by a radicalised individual, or both, is probably a matter of semantics. I can’t see why it can’t be both, but it is definitely something that will be skewed by various political agendas.  Indeed, that started happening the following day!

Despite the fact that the Omar Mateen wasn’t on a shift at the time, the Orlando shootings are a security failure that has impacted the reputation of his employer. For G4S, Omar Mateen’s murderous attack in security risk terms seems like the classic nightmare – a ‘black swan’ event.  The high consequence of this low likelihood event is that one of their 600,000 employees killed en masse, with a resultant 5 percent fall in share price at time of writing.  With a market cap of almost $4 billion (USD) G4S value has decreased by $200 million as a result of this event. Whether or not it has long term implications is not easily foreseeable.

There are increasing indications that Omar Mateen was unstable. His ex-wife apparently left him after four months and an ex-colleague reported that he was prone to outbursts of anger. The FBI investigated Mateen as well, but they only seemed to be looking for signs that he had been radicalised, not that he was psychologically stable or had anger management issues. None of this seems to have triggered significant investigation by G4S.

This should be of significant concern to security professionals. Bloomberg reports Mateen was first recruited in 2007. On employment he apparently passed a psychometric test called the Minnesota Multiphasic Personality Inventory. He was apparently rescreened by his employer in 2013 and continued to work until his death. Mateen also held Florida state security and firearms licences. But somehow the indicators, which seem with hindsight to have been clear, that Mateen was no longer suitable for employment as a licenced armed security guard, do not appear to have triggered internal ‘aftercare’ or due diligence processes.

More concerning is that this may be a systemic failing. In 2009, another employee of G4S, Danny Fitzsimons killed two other staff in Iraq. One of them was an Australian, Daniel Hoar.  In 2015, the UK Coroner’s inquest released its findings. Coroner Joanne Kearsley found that Fitzsimons’ employer did not make sure that he was adequately vetted before he killed his fellow employees. Coroner Kearsley reportedly said that the killing was ‘a defining moment globally in the security industry’.

Unfortunately, we may find that Coroner Kearsley’s words are equally applicable to the killings in Orlando.

In any case, these events provide significant food for thought for enterprise security professionals. Organisations do not sit in isolation, they are part of the society in which they operate, whether this is online or in the real world. Marketers tell us that their companies’ employees are “part of the community”, which is true, but this highlights the fact that there is not a hard perimeter for an organisation, if there ever was. It is an increasing expectation of our societies that organisations take care of the bodies and minds of people that work for them.  Organisational resilience comes from companies recognising this and truly caring, because in the end it affects the bottom line.

http://www.bloomberg.com/news/articles/2016-06-12/orlando-shooter-worked-for-security-firm-with-government-ties

https://en.wikipedia.org/wiki/2016_Orlando_nightclub_shooting

https://www.theguardian.com/uk-news/2015/may/11/security-contractor-vetted-iraq-killings-coroner

ENTERPRISE SECURITY AND THE TRAGEDY OF ORLANDO

 

Behavioural Economics as a tool for enterprise security

Have you ever wondered why on your electricity bill there is a representation of your household’s usage against the average 2, 3 or 4-person household telling you whether you are over or under? How does it make you feel?

The term behavioural economics has been around for maybe two decades. The marketing profession has been using the techniques it describes for even longer to get you to buy their brand. However, the use of behavioural economics as a tool for enterprise security is just emerging.

It is time for security professionals to start using these techniques to help protect organisations and not just to influence people to buy a particular soap, car or follow a sporting code.

What is behavioural economics

Behavioural economics looks at the relationship between the decisions that we make and the psychological and social factors that influence them. A significant amount of study in this area has been on people’s economic decisions, but the tools and techniques that have been tested can be applied in many other contexts.

Daniel Kahneman and his late research partner Amos Tversky are the two research psychologists most associated with behavioural economics. In 2002, Kahneman shared the Swedish Banker’s Prize in Economic Sciences in Memory of Alfred Nobel for this work. Kahneman’s 2011 book “Thinking Fast and Slow” explains many of the concepts in accessible terms. Kahneman and Tversky built on earlier studies that cut down an idea that now sounds quaint, the idea that humans act entirely rationally at the population or large group level. Even so, this idea was at the heart of much classical economic thinking.

You might not think at first that this seems entirely related to enterprise security. However, if you consider that the premise of behavioural economics is that people do not always make decisions that are entirely rational, you’d probably see the connection! In addition, the ideas that small (and sometimes even intangible) incentives and disincentives can be used to guide individual actions on a large scale are also very important. It is this second aspect which is of greatest use to the enterprise security practitioner.

Behaviour is at the heart of enterprise security, because people are every organisation’s greatest asset and often also their greatest risk. At its simplest, the key aim of good enterprise security is ensuring that individuals are encouraged to make the right decisions that benefit their organisation.

Behavioural economics works by assuming that in many cases, people making the ‘wrong’ decision within an organisation do so because they have imperfect information or lack the right incentives or disincentives.

Psychologists have also found that people can often exhibit a strong inclination to conform to social norms. The social norms change with the social groups that we participate in. Essentially, we often do things because our friends, colleagues, or those we admire, do.  Our friends and colleagues provide us with informational social influence or social proof. In plain English, we like to follow our herd and keep up with the Jones’.

Curiously though, we seem to struggle more with changing our minds than coming to a decision in the first place. The idea that when the facts change, people change their minds is a bit tricky for many. Associated with this curious aspect, researchers from Harvard Business School have claimed also that we tend to think we are more moral than we actually are and inhabit an “ethical mirage”.  This can mean there’s a disconnect between how we describe our decisions and how we actually behave. If we accept this somewhat unflattering portrait of human behaviour, it means that we tend to take a position that justifies our actions whatever they were, once we’ve made a decision. And we want more justification to change our minds than we needed to come to it in the first place!

But what if we could get people to make the ‘right’ decision in the first place. Then they wouldn’t have to justify wrong decisions. This is where the research findings of behavioural economics are tested at organisational and national scale.

Behavioural economics concepts are being applied at the public policy level by governments wanting to encourage certain behaviour without going to the expense of legislating compliance. It is expensive to make something illegal. Sometimes it is absolutely necessary e.g. murder, but the society has to create enforcement systems, pay the enforcers, and then who watches the watchers? Some enlightened government agencies are dabbling with the use of behavioural economics to achieve high levels of compliance.

In the UK and latterly also in Australia, the tax authorities have been attempting to use behavioural economics techniques. So called ‘nudge units’ have been set up to coax to get people to do their taxes by using social proof methods.  Informing taxpayers who are late paying that “90% of people pay their taxes on time” increases the rate of taxpayer compliance. This achieves the policy objective of getting timely tax payments, but does it in a way that won’t generate negative headlines. This in turn allows the tax agency to focus on individuals who are intentionally breaking the law, rather than doing so because life got in the way.

Another recent example has been the introduction of the “No Jab, No Pay” policy by the Australian Government where parents do not get all their family tax benefits unless they are willing to vaccinate their children. Rather than making it illegal for children to remain unvaccinated, the government has incentivised parents to vaccinate. This, added to significant social pressure from almost all the medical community, means that Australia’s childhood vaccination rates are generally very high and we see fewer distressing pictures of children with whooping cough around the country.

One interesting way that companies are using social proof is in encouraging households to save water and electricity. Increasingly, utility bills show householders where they stand in comparison to their suburb in terms of water or electricity use. The householder can then consider whether they want to moderate their behaviour. Literally to keep up with the Jones’!

Marketing firms use many behavioural economics techniques to encourage us to use particular products. Many of us take advantage of airline frequent flyer programs that give rewards for the flights taken by members. The extremely successful travel website, Tripadvisor awards points to its website users for the travel reviews that they produce. However, Tripadvisor points have absolutely no dollar value. They are valuable only to users in terms of social proof to that community that a member is a well seasoned traveller. You may have realised that the majority of social media operates in a similar way.

Why should enterprise security professionals consider using behavioural economics in their organisation?

It is expensive and time consuming to maintain rules for the increasingly complex environment that organisations operate in. Rules are difficult to write well and often only work in limited circumstances. The more detail, the more exceptions need to be built. Quite often rules also create a culture where individuals only follow the letter, not the spirit of the rules. This can contribute to the creation of a workplace which is not adaptable and where security is blamed for the problems of the organisation.

This can lead to situations where workers sometimes choose to circumvent organisational rules in order to achieve local goals. A worker might shortcut a process to ensure that their team are able to complete it faster. The individual might rationalise this as being good for their company in that the job is completed faster and good for themselves in that they can go home earlier. However, the decision that they have rationally come to might be the ‘wrong’ decision from the perspective of their organisation. The shortcuts that have been introduced may decrease organisational security.

How do organisations change this? By changing the decision-equation the worker takes when he or she makes that decision. This is very much the place of behavioural economics in enterprise security. Organisational messaging which demonstrates the social norms of the organisation from a security perspective are vital. So to are tools and procedures which endeavour where possible to make the secure decision, the easiest one to make.

In many ways the decision is very much linked to the ‘security culture’ of the organisation. The security culture is effectively the customs and practices of the organisation for whom the individual works.

Organisations are increasingly moving to principles and risk based frameworks in many areas including security because they find the sheer complexity of business overwhelming otherwise. This was one of the main drivers for the creation of the Australian Government’s Protective Security Policy Framework. The PSPF tries to get government agencies to focus on their security outcomes, rather than on process.

 

[Brain scan of white matter fibers, brainstem and above. The fibers are color coded by direction: red = left-right, green = anterior-posterior, blue = ascending-descending (RGB=XYZ). The Human Connectome Project, a $40-million endeavor funded by the National Institutes of Health, aims to plot connections within the brain that enables the complex behaviors our brains perform so seamlessly.MANDATORY CREDIT: Courtesy of the Laboratory of Neuro Imaging at UCLA and Martinos Center for Biomedical Imaging at MGH / www.humanconnectomeproject.org] *** []
Brain scan of white matter fibers, brainstem and above.  Laboratory of Neuro Imaging at UCLA and Martinos Center for Biomedical Imaging at MGH / www.humanconnectomeproject.org
Enterprise security professionals should be asking where they can apply these behavioural economics techniques in their organisations. The possibilities are varied and many, but one financial institution has used behavioural economics give nudges to staff regarding personnel security. In one case, to improve their reporting of change of circumstances by giving them a simple message that “most people in our organisation report their change of personal circumstances within four weeks”.

In the government space, there has been debate about whether it is possible to create an ‘information classification market’ which balances the need to classify information appropriately against the costs to organisation of over-classification in terms of long term storage and devaluation of security markings. Such a market could work by incentivising managers to ensure that staff were classifying information as accurately as possible. As always, the trick would be to ensure that the incentives matched the risk profile of the organisation.

Every organisation is different and so are the opportunities for using these techniques to improve your enterprise security.

For more information:

http://www.nobelprize.org/nobel_prizes/economic-sciences/laureates/2002/advanced-economicsciences2002.pdf

http://theconversation.com/the-potential-of-behavioural-economics-beyond-the-nudge-43535

http://www.immunise.health.gov.au/internet/immunise/publishing.nsf/Content/clinical-updates-and-news/$File/Update-No-Jab-No-Pay-Immunisation-Catch-Up-Arrangements(D15-1126865).pdf

www.hbs.edu/faculty/Publication%20Files/08-012.pdf

https://en.wikipedia.org/wiki/Social_proof

 

Security Solutions Magazine 100th EDAn earlier version of this article appeared in the 100th edition of Security Solutions magazine  http://www.securitysolutionsmagazine.biz/

Cyber-Resilience

Cyber-Resilience

Cyber-Resilience in the Information Age

The Global Resilience Collaborative held a curated seminar  at Parliament House in Queensland.  Alex Webling gave a speech on Cyber-Resilience to the assembled audience

The Speech posted on Youtube. The video is embedded below.

In summary, Alex introduces four ideas for cyber-resilience in the information age.

  1. Information is the lifeblood of the modern organisation.
  2. The value of data should determine how it should be protected
  3. Data value changes with time
  4. Considering data flows within an organisation allows an organisation to develop an adaptable and resilient approach to its security and longevity.

Subscribe to the Resilience Outcomes Channel at https://www.youtube.com/channel/UCh0XQODTB2r8nQzUBoTGSeA

Privacy Safe Harbour and Australia

Privacy ‘safe-harbour’ and Australia

 – not safe enough?

The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.

The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.

This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland

Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.

The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.

This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.

Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.

When the big players jostle, smaller countries feel the waves.

For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.

The Internet becomes less than one – Time for an International Law of Cyberspace

The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.

Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.

This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea  achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.

 

 

 

Complexity and Resilience in an Information Centric World

Complexity and Resilience

How do organisations develop resilience in the complex environment that is the 21st century information centric world?

The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.

Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!

Complex Organisations in the 21st Century

The opportunities posed by increased information flows are enormous,

Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.

1 billion Carbanak hackThe threats are also enormous

But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.

Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!

Survival and resilience

Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .

The Australian Government’s resilience strategy shows Australia’s leadership in resilience thinking. It identifies four options for an organisation

  • Decline;
  • Survive;
  • Bounce Back;
  • Bounce Forward. 

However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons

  1. They have the resources, capital personnel,  leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
  2. They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.

It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.

ICT is a two edged sword in the quest for resilience

As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility

Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?

Possibly, though it is more the issue of complexity. There are a number of other factors

Speed of change

The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.

Interdependence

Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.

However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.

Everyone’s your neighbour

Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.

Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.

sony hacked again
From http://blogs.umb.edu/itnews/2015/01/06/the-sony-hack/

 

 

 

 

 

Affecting organisational longevity?

The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.

This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.

average company lifespan on SP500

US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to

  • declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
  • acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.

At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.

The flaws in simple risk

Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.

The sum of overall risk that an organisation has, is greater than its parts.

It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:

  • The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
  • Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.

In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.

Different risk events

We see these issues playing out in different events that affect organisations, whether it is a

acute failure

such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton

Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.

Or chronic failure

such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.

A resilient approach

Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile
(Adapted from www.compete.org)

A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.

Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.

As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.

The resilient organisation

Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.

Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.

Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.

Resilience from Chaos (Monkey)

An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.

Chaos Monkey Released Into the Wild

 

 

 

 

 

This post is based on a presentation I gave in Singapore. Here are my slides

This slideshow requires JavaScript.

 

Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.

Security Standards are important

Security Standards are vital to our society

That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.

We congratulate Alex on this recognition of his security knowledge and expertise particularly  in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.

The Technical Committee will have the following provisional title and scope:

Title: Security

Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;

ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance

—-
 Security Standards ISOWe also wish to thank IAPPANZ and Attorney-General’s Department for supporting Alex’s nomination.

The state of ICT Security

State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage

The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.

Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.

The German Federal Department for Safety in Information Technology  has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.

As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass.  I’ve picked out some of the gems and translated them here.

Complexity is killing information security

The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.

Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.

There are over 250 million individual varieties of Windows malware around now

Other observations which confirm what you may have seen in other places

  1. Spam continues to grow exponentially
  2. Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
  3. The number of infected sites delivering ‘driveby exploits’ is growing substantially.
  4. Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
  5. Phishing continues to yield results for cyber criminals

Advanced Persistent Threats – an increasing threat for government and industry

Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues

  • Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
  • Attacks on key individuals – attacking system administrators for key systems to gain access.
  • Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
  • Manipulation of IT hardware and software – Well they would do that wouldn’t they.

The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.

This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.

Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft

Cyber threat prognosis

Casestudies

The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.

Steelworks compromise causes massive damage to furnace.

One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.

Dragonfly attacks a dozen companies

The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.

Conclusion

It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.

You can download the original Document from the BSI – Bundesamt fuer Sicherheit in der Informationstechnik – in German “Die Lage der IT-Sicherheit in Deutschland 2014”  https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile

Privacy and Social Login – wins first prize

Privacy and Social Login article wins award

“Privacy and Social Login” an article published in the International Association of Privacy Professionals Australia New Zealand May 2014 edition of “Privacy Unbound” and here won the first prize for article for this year .

The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.

The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.

The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.

UPDATE 23/12/14

The article, along with a profile of Alex Webling was republished in the IAPP December 2014 edition – http://www.iappanz.org/IAPP/eflash/November_December_edition_59_Privacy_Unbound.pdf