It’s a rare day indeed when the worlds of IT security, psychotherapy, and The Pirates of the Caribbean converge – but, when we’re really asked to dig deep into where potential threats to your company’s data assets come from, there’s some merit to this unlikely combination.
“The problem isn’t the problem. The problem is your attitude about the problem.” With this quip, Captain Jack Sparrow dusts off a tried and tested tenet of therapy; essentially that the way we approach an issue will often dictate the outcome.
While it’s fair to assume the nefarious pirate’s tech knowledge is (at best) limited, this therapeutic way of thinking is pertinent when we sit down to consider potential gaps in network security. In fact, it’s probably more accurate to say that this life-lesson is especially pertinent when we don’t sit down to consider potential gaps in network security. What’s unknown isn’t the problem, the problem is how we often simply do not work to expose what is unknown.
What do we know?
Data security is a hot topic and, as such, it’s fair to assume that IT professionals are up to speed with the latest high-profile cyber security threats. It’s also fair to assume that cyber criminals are not unintelligent – and while there are many who are employing tried and tested techniques to breach unwary company’s defenses, there are also master tacticians looking to exploit a tiny weakness that’s otherwise crept under the radar.
When the post-9/11 conflict in Afghanistan was raging, a group of the military’s finest problem-solving minds sat down to discuss potential threats to a US stronghold that lay in a important strategic desert position. The well-fortified base seemed impenetrable – and indeed, a huge range of possible threats had been considered and mitigated. To ensure no stone went unturned, an AI scenario generation program was used to expand the human ability to assess the situation – and it flagged a potential issue, albeit an unlikely one. The water supply to the base was not secure, so, as a precaution, alarmed toxicity monitors were installed.
Around two weeks after the installation of the monitors, the alarm was triggered. Enemy forces had seen to it that the water supply was poisoned – and, had the AI not highlighted this very unlikely risk, the situation could have been dire for the troops and staff occupying the base. What was the chance this was going to occur? How likely was it that the enemy was going to supplement its usual barrage of RPGs with some highly-calculated precision attack? Well, according to the logical and objective brains of the team tasked with listing the risks, it wasn’t just unlikely – it was entirely unconsidered.
So, what do we know? We know that, no matter how knowledgeable a team of people are, there’s always the possibility that we’ve overlooked a tiny weakness somewhere in the sprawling complexity of our company’s IT security infrastructure. The unknown threats to your company data assets aren’t so much the ones that are the most innovative or deceptive – they’re the ones that are completely unconsidered.
What do we do about the unknowns?
When you’re an IT professional, it’s easy to be defensive about the idea that any part of network security is an unknown – so it’s worth framing these unknowns as exactly what they are – gaps in control. When you control 100% of whatever environment you’re in, there’s no room for any variation of outcome.
Of course, micromanaging a full company’s staff force is impossible, so, rather than watching over shoulders, is it worth circulating engaging information relating to the latest IT threats to end-users – underlining their part in fight to keep data secure? Is it time to revisit your IT policy and make sure it’s as watertight as possible – to account for the simplest oversight by an unthinking member of staff who’s about to plug a mystery USB drive into a networked machine?
What do we do about the unknowns? It’s a trick question really – unknown is always unknown – all we can do is fight to limit how broadly that ‘unknown’ term applies.
Identifying gaps in control
England’s National Health Service (NHS) employs upward of 1.4 million people across tens of thousands of sites. It’s got a budget of over £100bn ($130bn) and its IT systems are some of the most ambitious ever embarked upon by a health service. In May 2017, the WannaCry ransomware attack brought the NHS to its knees – life-saving operations were cancelled, urgent cancer patient referrals lost, and emergency ambulances were diverted away from hospitals owing to a lack of communications. The cause? An until-then unknown; a handful of machines still running Windows XP that were no longer subject to Microsoft security patches.
Now, when you consider embarking on a mission that involves consolidating security across a network of this size, it’s little wonder that there were gaps in control – but what’s your excuse? It’s a big task? You don’t have the budget? The scope is too broad? Ultimately, you have to decide whether these are reasons you want to be putting to a board should you find yourself with lost data.
Of course, a lack of resources is often the issue we come up against when we’re hoping to extend what’s possible for our IT infrastructure – and, in this case, communication is the key. We’re familiar with the increasingly sustained efforts that are made to steal company data – but you’ve got to remember that IT is the first line of defense. A relaxed demeanour about cyber security might make the business decisionmakers above you feel safe, but if it shields a senior management team from a series of very real and increasingly tactical attacks, it’s time to up the ante and start tugging at the purse-strings.
Increasingly, data is your company’s most precious asset – and, even if it’s not, mishandling data comes with potentially catastrophic consequences. Now is not the time for allowing unknowns to remain unknown, now is the time for dragging every possible threat out of the shadows – and making sure every person who has access to a device understands their role in countering the biggest threat to your company’s very existence.