A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 2: Know thyself.
What are you trying to protect?
[ Reading time: 12 minutes ]
“I don’t know what I’m looking for … I think it might be because if I knew I wouldn’t be able to look for them.”, quote from Douglas Adams, The Hitchhiker’s Guide to the Galaxy
Readers of a certain age might recall the then US Secretary of Defense Donald Rumsfeld’s now infamous quote about “known unknowns” and “unknown unknowns”! The essence of it is that there are risks you are aware of (known unknowns) and risks that come from situations that are so unexpected that they would not be in scope for consideration (unknown unknowns).
You can’t protect what you don’t know you have.
That sounds obvious, doesn’t it? But it’s amazing how many organisations don’t have a central or complete record of their digital and data assets.
So when thinking about information security, you can only manage the “known unknowns”, which are the risks to your known systems and data assets.
The “unknown unknowns” are risks you are not even aware of, because they affect systems and data that you don’t know you have. Those risks are just as real, but unless you know about them, you are leaving them unmanaged, and your organisation exposed.
Our Cyber Security Assessment service is based on the CIS Critical Security Controls. There are 18 of these, numbered in priority order according to the impact that these have on delivering security to your organisation.
First, second and third in the CIS Controls list are asset inventories. Hardware, software, and data. Not the frontier technologies of next-generation firewalls, edge detection and response, and user behaviour and analytics, important as these are.
Inventories. Dull, perhaps. But worthy.
Your starting point must be identification of the assets to create those inventories. These are as vital to your cyber security as the accounting ledger is to the finances.
This is where the executive team has an important support role to play.
The easy bit
There are lots of tools out there to help build inventories. Automation is your friend here. Don’t tie up your valuable personnel resources in manually recording things in spreadsheets, which will go out of date as soon as they are finished. You need automated tools to build the inventory in the first place and to keep it regularly maintained.
Many asset management tools come with a network discovery capability. But you might need multiple tools, to do “active” and “passive” discovery. Active discovery probes every connection on your network, but as not all connected devices might allow for easy identification, passive discovery can be used to listen to network traffic and work out from the chatter what’s going on. You might need a different tool again for software detection.
There’s an important hidden benefit to these tools. Not only will they discover the assets you know you are trying to protect, but they’ll discover the assets you don’t know about. The things you want and those you don’t.
If unauthorised equipment can be plugged in to your network, it’s an easy way for malware to get straight into your organisation. Unauthorised software can be malicious, used for releasing data, or susceptible to compromise to allow further attacks. Detecting this is not easy. You need systems which are constantly watching and reacting. Automated software is the only feasible way to achieve this.
Your support role as executive leaders is to promote and authorise investment in automated tools.
Hiding in the shadows
When people in your organisation can’t use a piece of hardware or software the way they want to, they find other roundabout ways to achieve this. As sure as water finds a way down, your people will find a way to get around any technology restrictions which are in place.
This is called “shadow IT”. And it happens in every organisation. A smart thermometer which powers itself from the USB port on a desktop computer. A great bit of open source software which is much better than Microsoft… A free DropBox account to share important documents when people are out of the office. The list goes on.
The incidence of shadow IT has increased with the rise of remote working. And while in the vast majority of cases there is no malicious intent, any of these can pose risks to your organisation’s network and data, often in unexpected and unpredictable ways.
There are plenty of cautionary tales which testify to this. I’ll devote a future episode to this topic (Out of the Shadows), but for now the key takeaway is that you need to know what digital assets are in use—authorised and unauthorised—before you can start making sensible assessments of risk.
The Rise of ChatGPT
ChatGPT is a an important topical example of shadow IT. Anyone can create a free ChatGPT account. It is almost guaranteed that every student and researcher is using it in some shape or form, and this has opened up an interesting new avenue for data loss. Last year, it was reported that engineers at Samsung fed proprietary software code into ChatGPT to suggest some fixes for software bugs. In so doing, they accidentally leaked that same confidential code to the chatbot, which then included the lines of software in future responses to others outside Samsung.
Are you confident that sensitive data isn’t being leaked via the use of ChatGPT? Do you have a policy around using this and other AI tools? I’ll discuss this in detail in a future episode (Careless Talk Costs).
Knowing where the value lies
In the knowledge economy, UK Education is a major player, and your biggest assets are your people and your data. R&D in the sector stimulates around £2 of private spending for every £1 invested and your intellectual property is a high-value asset.
Couple that with the personal data of thousands of staff and students which is subject to regulatory compliance, and you are sitting on a mine of valuable data which will cost dearly if it finds its way into the wrong hands.
As organisations grow, so too do the requirements and methods of data storage. As research projects come and go, universities can end up retaining unsupported legacy systems to keep bits of equipment running, and pools of data can sit in silos unrecorded and unprotected: central file servers, local file servers, USB sticks, external drives, cloud storage accounts. These are an accident waiting to happen, an easy target for cyber attackers.
The proliferation in the use of mobile and personal devices for creating, storing, processing and sharing data presents huge challenges for organisations in protecting the devices and the data they hold. There’s much more to say about this, and I’ll devote a whole episode to it (Data, data, everywhere).
If you don’t know what data you are storing, or where it is being stored, then you haven’t got a hope of being able to secure it.
The hard bit
This is where organisations of all sorts have the greatest challenge. In the higher education sector, there’s often a clash of interests between academic freedom and perceived corporate-style direction and restrictions. Managing the interests of both researchers and the organisation is a delicate balancing act, and the executive leadership has a key role to play here.
What you need to be doing is putting in place data governance mechanisms that make it clear where responsibility lies for data ownership and management. This is well embedded in standard business functions, like Finance and HR. But not so much when it comes to academic activities.
This requires the building of a culture which promotes academic freedom alongside security best practices, that demands information governance as a key element alongside research outcomes. It’s not always popular, but must be understood in the context of risk of intellectual property theft or data breach.
Cars have brakes so they can go faster
All too often, this sort of requirement is seen as a brake on research and innovation. Information Security teams are sometimes labelled as the Department of “No”, security is seen as stifling innovation, and spending on security is seen only in cost terms. In reality, information security done well is an enabler in the same way that a car’s brakes enable it to maximise its performance without compromising safety.
In the executive team, you can be pivotal in promoting information security as an enabler to support innovation while mitigating the risks.
So make sure that departments and research teams account for their hardware, software and data assets. Conduct regular and automated checks to ensure the central asset inventory is complete and accurate. Require funding bids to include data governance. Ensure that the Information Security team can advise on new developments, and has the capacity to respond quickly to develop solutions. Devise a mechanism for resolving conflicts when new developments cannot meet security demands.
Driving a change in culture isn’t an easy task. It’s a long term change, but you can start the process by getting the ship pointing in the right direction. Carrot is always preferable to stick, so reward teams which promote information security. I’ll say more about this in a future episode on Security Awareness Training (Don’t Train in Vain).
A Final [Deep] Thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at identity and authentication management—how to manage who gets in to your systems, and how to keep the bad guys out. Knock, knock, who’s there?
For now, you can take useful steps forward by checking out your organisation’s asset management. Do you have a register that covers the whole organisation? Do you know what your digital assets are—hardware, software and data? Do you have a data classification scheme? Do you know what your most valuable data is and where it is stored?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.