I’m often asked what cyber security means. The Attorney General’s department defines cyber security as “‘Measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means.’1
A key question, then, is how do we address cyber security to enable the safe, healthy growth of our digital economy?
Dot point 1: Understand where our information of high consequence is
The first step is to understand what information we or our organisations have, what of it is important, and where it is. Only then can we start looking at how it is protected.
When mapping our data in this way, less a network topology than a mind map of our information and where it is in transit and at rest, it may initially look like a heatmap of vulnerability. While this may be a disconcerting exercise at first, there is a positive – the first step to addressing a problem is understanding it.
Our heatmap will likely extend outside our own organisations to other organisations and individuals – from cloud service providers, to homes, and to professional service providers from IT to doctors, lawyers, accountants and other providers where the information is not in our control. We call this our ecosystem.
That we are only as secure as our weakest link needs to be balanced with the value created by ever-increasing interconnectedness. That is, rather than cutting access to our valuable ecosystem and thwarting our digital economy, we need to communicate, collaborate and safely grow our digital economy.
We therefore need to review our cyber map and look at simplifications, protections, prioritisations and how to influence and encourage our ecosystem to do the same.
Dot point 2: Understand how our information of high consequence is at risk and plan to fill the gap
The next step in our own cyber security context, which includes our ecosystem – is to understand the consequence of information becoming unavailable, made available where it shouldn’t be, or changed. We also need to understand the likelihood of those consequences occurring and pragmatically consider how cyber security can enable our strategy.
For example, if our information becomes unavailable because it has been locked up by ransomware, or it is deleted – what is the consequence? If an attacker has this sort of access they will likely have breached confidentiality as well. So, if that information were to be shared on the black market with competitors, for example, or posted to a public site, by way of another example – what is the consequence? If not deleted, with that type of access the attacker could also change the information. If say pricing or payroll information, email recipient information or other information were to be changed, or a website defaced, by way of a few more examples – what would be the consequence?
From a strategy enablement perspective, how does choosing products or services that provide a level of cyber security inherent to the functionality or benefit they provide versus another choice that may be at face value cheaper enable or risk strategy? How does providing a level of cyber security inherent to the products or services we offer enable our strategy and increase our chance of winning businesses, improve our reputation and/or reduce our overall reputational, financial or other risk?
In thinking through these sample questions, you will probably note to self that some data crossing your mind are of higher consequence than others. This is called contextualisation. Another part of contextualisation is understanding who else may find the information of value, even it is of little perceived value to us, our customer or supplier – at the same time remembering that even a single file may have valuable meaning in the aggregate.
For example, if we would consider paying a ransom for the information (not recommended), it is valuable to an attacker. If the attacker can, say, reduce our contract negotiating power with the information, this as well is of value to them. If it gives an attacker access to a system that has money flowing through it – eg our payrolls, online banking, super accounts, this too is of value to them. If it gives an attacker the opportunity to disrupt the productivity of our businesses, this may also be of value. We can see, then, we also need to consider the objective of an attacker and what value our information might provide, including if it were to be aggregated with others’ information in these heady times of big data.
After mapping out our data in transit and at rest, our ‘cyber map’, contextualising information helps prioritise actions on protecting that information and the level of protection it will receive given time, risk-appetite and resources. Some of these protections may be adaptations of existing resources and behavior (eg innovation, training, culture), some will involve cyber–related products and services (eg legal, IT, insurance) and some may involve specialist tactical services and products (eg risk assessments, penetration testing, intrusion protection systems).
Dot point 3: Act on plans and measure progress
The key once these are assessed is to ensure we act on these plans and that the results are measurable.