There I was intently watching Bloomberg’s market open reports for Europe. Great news ARM shares increased, sales up, profits up, future growth unlimited; everything we do will be controlled by mobile devices and everything we have will be controlled using chips from ARM or Intel. Then the adverts come on, a new series called “Power” predicts the day when ‘someone’ will turn off all the power in the world, then something spooky happens, the power goes off. I reach for my torch, the UPS switches in and I am glad I had a contingency plan. We have heard it already, one day we will be totally “Chips with everything” I thought we were already well down that path but the predictions of the investment analysts are riding on the assumption that computer controlled life will increase by 1000’s of percent.
OK it’s not news, but the scale and timing of change expressed in real numbers is making ‘exposure’ exponentially greater. Just look at the analyst’s predictions for the future of ARM and the others who will enter the market to meet the growth. The targets are growing making the likelihood of attack greater. I am in a place where power cuts are frequent, the likelihood is high, the risk is maybe; stumbling and falling over (downtime) or blowing my electrical equipment (assets) or my freezer contents (stock). I have a contingency plan, a torch/lamp and a UPS on some equipment. When in an area where the likelihood is low then the business equivalent of a torch and UPS are not even thought of, even laughed at. BUT what happens when everything becomes computer dependent? The target size (base units) subject to attack increases and so does the type and volume of attacks. As the joined up world increases so does the incentive for the attackers.
Stop for a moment and take a look around you – IT isn’t just the computer on your desk, the lap top in your bag or the mobile in your pocket. Insecurity is fired by media frenzy over utilities and public services, traffic control, hospitals, being attacked and out of control – now we have disaster movies based on SCADA attacks. The truth is IT is already controlling who is and isn’t entering your building virtually and physically, how and where your customers are being dealt with, driving your production line and it even has a part to play in how your coffee is produced in your super new Nespresso machine. IT is no longer confined to a small back office, possibly in the basement, staffed with geeks all speaking their own language. IT keeps you open for business, but if you’re not careful it can close you down for good.
We are no longer running businesses with just commercial risks; we are also open to attack at the infrastructure level. Just as we recognise risk from fire, flood, riot, burglary we have to acknowledge that there is a chance of physical damage through attack on the processors that are increasingly taking on the role of controlling the devices we rely on. Just as the criminal has turned from actually going out and robbing people, he stays at home and gets someone to do it through the web, so the criminal and the terrorist will stay at home and attack your infrastructure.
If your defensive posture is against just the exploits that attack the commercial operation then you had better start thinking again, your infrastructure is about to become game, and it’s hunting season.
The effect of being closed for business, however temporarily, will cost the organisation money. For an online retailer it’s a little more obvious, if customers aren’t able to make purchases there’s the immediate loss of revenue. However, for a large manufacturing company, if its IT infrastructure fails and production has to shut down for 24 hours the costs will soon mount potentially into the millions. If the business has a continuous process it could be lost forever The expense isn’t limited to the immediate problem of restoring services or production – there’s the lost time, ruined stock, ongoing costs of rebuilding confidence in the customer base and potentially amongst shareholders, plus the knock on effects such as an increase in insurance premiums. The costs mount very quickly.
For every company, there is a requirement to exercise due diligence; the care of the company’s assets and the future ability to produce returns for investors. This is increasingly embedded in legislation, regulation, standards and best practice guidelines. Part of corporate due diligence is to provide defensive measures to reduce risk, Firewalls/IPS etc. It has become accepted that all that can be done is the best we can, within budget and expertise constraints and that means we are behind in the battle and the battle is about to cover a wider range of targets. Suffice to say that, in order to exercise due diligence and care, you need to plan for the day you can’t – in other words, a business continuity plan.
I challenge you – get a copy of your disaster plan (if you have one), dust it off and actually read it. In the majority of cases it will cover eventualities such as damage caused by fire, theft or even flooding. If you’re based in one of the cities it may even include a section on external threats i.e. terrorist attacks and other disaster eventualities. You’ve probably got a plan for overcoming a power failure, where to resource external staff if yours are ill and, if you’re in production, crisis management if your product fails. What does it say about suffering a cyber-attack? Chances are it doesn’t. If it does it might be data recovery and application re-instatement now you need to cover potential infrastructure damage.
The creation and regular review of a disaster/contingency plan will not only identify what to do when all else fails it will also highlight events where you can reduce the risk and reduce the cost of the contingency. Make your IPS work more effectively, create proper back-up processes, train people. The contingency plan will help justify the cost of reducing risk through better defence OR provide the cost effective alternative.
The contingency plan is an essential part of your IT security plan. Risk management is not just reducing risk it also about what to do when things do go wrong, do not forget this when presenting to your board.About the Author
Ray Bryant, CEO of Idappcom
About Idappcom
Idappcom Ltd. are a private UK registered company founded in 2004. Our Objectives are to provide excellence in the field of IT security and application security and management. Our main product, Traffic IQ, is a vulnerability assessment tool and has wide acceptance with security professionals throughout the world. Clients include nearly all major security appliance vendors, independent appliance testers, Military establishments, Telecomms companies and various others across a broad range of industries.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.