Is our digital maturity a house of cards?

When I was little I learnt a few clear rules at home:

”Look three times before crossing the road. Don’t go in the water after eating. Brush your teeth in the morning and before bed.”

Nowadays you are still fighting Karius and Baktus with a toothbrush – albeit an electronic version – and the other risks have with time been demystified. On the other hand, we are now living in the digital age, developing at a pace so furious that it can be difficult to keep up.

Our kids thunder around with the greatest of ease in Cyberspace and the SoMe universe such as Instagram, Facebook and Snapchat. Therefore, we must deal with entirely new dangers, both to ourselves and our children, like digital bullying, fake profiles, identity theft, hacking and many other serious cybercrimes.

But where and how can we move safely on the internet, who can we trust, and are we at all equipped to advise and guide out kids in the digital world?

Dependent on IT

As much as it can be tempting, it is not realistic to take away my kids’ computers, smartphones, and internet access in an effort to protect them, when school and their social lives are dependent on these tools.

In the business world too, where in Denmark we are generally quite tech-savvy and IT-mature, we are also completely dependent on these tools along with a well-functioning IT infrastructure. But, are we aware of the risk of unintended events and the fatal consequences they can have?

Experts predict the probability that one or more major Danish companies risk going belly-up in the near future because of undesired security incidents in the IT infrastructure. To illustrate, the NotPetya incident at Maersk cost over DKK 2 billion, and this despite the fact that the organisation was most likely far better equipped and prepared than a lot of other companies.

But how shall we advise business and our children?

Digitalisation

It is obvious that business wants digitalisation to streamline workflow and to seize opportunities for time-to-market just as soon as they appear. These processes involve major savings and leaving it out is not an option because demands from the authorities and partners dictate the development, not to mention the competitive situation.

I acknowledge that we cannot stop digital development, but I reserve the right to question the speed and quality of this development.

Patch Tuesday, for example, has become a familiar term in the world of IT, and it is thought-provoking that a day of the week can be named after an entire industry’s inability to delivery stability and quality.

The fact remains, however, that faults will arise as will new uncertainties – we cannot avoid that. Yet, I still come across many companies that work by the principle: ”If it ain´t broke, don´t fix it!”

But – it IS broken! That is why there is a bug fix available!!!

In the automotive industry, when a fault is detected in a car model, all the cars are often recalled to repair the fault. Obviously, it is an expensive process which is why manufacturers use a great deal of time on development, testing and production to safeguard against recalls. An in aviation, fortunately, we don’t question that known vulnerabilities are repaired immediately.

But are companies at all aware, at the time of establishing IT solutions, of the risks, the potential consequences and the cost of unintended events?

I don’t mean just the costs of performing a restore from backup, but the company’s actual cost of production staff, lowered sales and reputation damage, not to mention the reimplementation of the entire IT infrastructure.

For Maersk the cost, as already mentioned, was almost DKK 2 billion. What would it cost you company?

Whose responsibility is it?

When it comes to predicting digital threats and preventing undesired incidents, there should be no doubt that it IS a highly accessible area.

The proliferation of IT systems remains inevitable and makes IT systems far more complex than necessary. They are becoming increasingly harder to handle, both in the preventive phase and not least when things go wrong.

Company management must of course ensure that finances don’t get out of hand. From this perspective, you can understand why management finds it difficult to see what is wrong with the (new) firewall they invested in just 2½ years ago. And why isn’t continuous updates and maintenance the responsibility of the external provider that the company is paying?

This, together with the different opinions and attitudes of the technical manager, technicians, project managers, users and providers, often ends up with nothing happening. Not due to bad will or carelessness – just simply because it is easier.

But IT security – just like everything else – is ultimately the responsibility of management. Management must therefore make the right decisions, but these must be informed decisions, and should be based on this formula:

Risk = Probability x Consequence

Probability is the technology. Consequence is the business area, and risk belongs under management.

Therefore, I have great respect for management that chooses to run the risk when this is decided on an informed basis.

Prevent, identify and compensate

When a final decision is made to do something that increases security and/or controls the risk, the business will typically face a number of challenges. There could be a shortage of:

  • specific competencies within IT security, threats and vulnerabilities
  • knowledge about the IT infrastructure
  • insight into the organisation
  • financial resources

Once we have identified the risk, a change of habits, or even better, acquiring new habits, would be a relevant supplement to the process of preventing, identifying and compensating for security breaches.
Preventing incidents to reduce the risk will typically the major focus. This is quite natural, however, if the focus is solely on prevention it could limit the business and is often a costly solution because the costs cannot be measured against the actual effects.

My view is that it is at least just as important to ensure that incidents are identified. Searching for anomalies is unfortunately a process that is highly underestimated. At the same time, it is worth pointing out that we cannot prevent incidents without identifying that they exist, or those that have already hit us.

Therefore, I must reiterate how important it is to pre-plan and prepare compensatory measures when a security breach occurs.

Always have a Plan B ready beforehand, because it is simply too late when an undesired incident hits you – PLAN TO FAIL!

Think about the consequence

How should business relate to future threats when it comes to IT security?

If I had the final and absolute answer here, it would mean nothing less than a golden egg for business, as it is very difficult to predict what will come next from the hidden underworld of the internet.

If businesses think in advance and illustrate the consequences of an undesired incident, and based on this plan what to do, this is already a big head start.

It could be something as simple as, for example, ensuring that the systems are constantly monitored and tested, to be sure that they are working as intended.

Right now, while everyone is so focused on complying with GDPR, we could just as well put procedures for IT security on the agenda and processes into the system. This would make it more likely that an item concerning continuous IT security comes up on the operations budget and thereby a chance to secure the necessary competencies in-house, or the use of external specialists when necessary.

Copy/paste

How do I advise my child in the digital world?

I’ve done a copy/paste on my parents. I am worried, and keep repeating: ”Careful now… Don’t do…. Think about it now…”.

At the same time, I remember how many times I forgot to look three times in the traffic, swam after a meal or cheated on brushing my teeth.

But I have set a ceiling on the kids’ credit cards and telephone bills and set up a special VLAN for the kids and their friends. So, an undesired incident is not going to affect mom – or me – and I, therefore, have an overview of the consequences in these areas.

Our digital maturity isn’t necessarily a house of cards that can come crashing down, but we ourselves can decide how good a foundation we need to create the basis for our IT platform and the business on a whole.

By Niels Mogensen, Security Evangelist, Conscia 
As a security evangelist and ”techie by nature” Niels Mogensen has deep knowledge and interest in the soft aspects of IT security, and connecting this with the challenges and opportunities that technology brings. Niels Mogensen has been in IT security for more than 25 years, and therefore has an opinion on EVERYTHING – and, not least, everything that has to do IT security.
Exam ESL, CISSP, CISA