Let’s start the article with a little general knowledge question from 2009 – which of the following statements from way then is the most accurate in respect to the state of the UK economy and what it was suffering: a) Economic Downturn, b) Global Recession, or c) Diminished GDP. My assertion is most, if not all readers will be familiar with all such statements, and of course the then, real time impact of the downturn was all, manifesting in economic shrinkage, and just above flat-lining growth. The sociological pain that economic crisis created resulted in closure of businesses, loss of employment, income, and/or lowered standards of living – but in that time of economic austerity, it was not all gloom and doom, as one particular sector was enjoying significant growth, establishing strong lines of continued and increasing revenue, and was enjoying, what may have only be described as exceptional success. In those days, that was an industry open to anyone, and everyone – it was that of the Crimeercialised sector (as opposed to Commercialised) operations – e.g. Fraud, and Crime. And with that backdrop in mind, jump forward circa 2016/17 and according to the CIFAS report published in March 2017, we are now seeing a truly epidemic situation in which cyber-crime has reached an all-time high of growth, and there is no doubt even more criminal success is yet to be enjoyed.
Way back in 2009 it became very clear that criminality, sleight-of-hand, and simply cooking the books was not just preserve of MP’s or Executives, with Members of Parliament continually making accounting errors (no reform there of course in 2017), and today we see those who were members of the Bank-of-England still suffering omitting to declare their interest aligned to the standing process – governance failures at the very top are always the most worrying! And here, the great unwashed public have both seen, and suffered at the hands of those who bent, or broke the rules put in place to safeguard the Fiscal System – for sake of amassing enormous personal profits, and position no matter the resulting impact or implications!
So, when considering Fraud, Criminality, and inter organisational transgressions, does this imply dishonesty is much wider spread into our social and business communities than we could have ever imagined? Again, a little historic value-add – in 2010 a survey run by Turin Technologies against a sample of 1,000 young persons from London, and 150 from Cumbria. They were asked how many had tried their hand at Hacking? A surprising 25% said they had. The survey further concluded that whilst 46% were doing it for fun, 21% were aiming to cause some form of disruption. Even more worrying, 5% of those surveyed felt that this new skill could be used to for purpose of a future career, working on the Dark Side! – this situation I believe has increased dramatically.
From more history, add to these statistics the findings of an Actimize survey conducted in 2009. The survey asked 70 Global Financial Institutions if they believed the threat of employee fraud was a real issue. Their response was that 82% felt it was on the increases, largely driven by the current economic situation – jump to 2017 and this opinion would seem to have ben founded!
Last but not least in April 2010, in their Annual Survey, PwC reported that e-crime had doubled in 2 years, with an estimated cost to the UK economy in 2009 of £10bn. So dealing with facts we know, it may reasonably conclude that inter-organisational security should today be of paramount importance. However, the challenge is, this may be easier said than achieved as, even today, in most organisations the surfaces of presented risk may reside in uncoordinated areas with little, or no effective communications running between the inter-organisational security disciplines!
Let us consider the internal challenges of today’s complex National, and Multinational Operations, earning, spending, and moving enormous lines of revenue, traversing multiples of diverse communications channels, systems, applications, and even International Boarders, all in the name of Trade. In most cases, such transactions may only represented by a logical string, made up of a 1 or a 0. Thus with the right, or should I say, wrong person, or persons in the process, this could manifest into long term nibbling’s of miscreant actions, levering open some backdoors you suspected, and others you were not aware off!
So what’s the issue? When Willie Sutton (AKA – The Actor, and Slick Willie) was asked why he robbed banks, he replied “Because that’s where the money is”. So considering today’s Business Landscape, and using some imagination to understand where the potential risks exist, or potentially attract either internal or external attention, one may conclude the areas of internal Banking Systems, Treasury Departments, and their associated systems, and processes may represent very rich pickings to an insider!
So just where does a business start to enhance its controls, and security profile to keep its financial assets safe? What should be encompassed in the Security Plan? The first and most important fact to accept is, new age threats are no longer working in isolation, but are in most cases presented in a profile of convergence. As an example, history can attest that internal attacks do converge, being represented out of interests from elements from such as, Serious and Organised Crime, Social Engineering, Personal Compromise, even Ideology. In turn, these may be aligned to misuse, and abuse of Electronic Data Processing Systems and Applications, Misdirection of Communications and Transfers, which in most cases have the objective of illicitly rerouting funds, goods, or services to some waiting endpoint. Thus, it is important to keep an open mind, and consider all threats in their many guises – as possibility of them being converged.
OK, now going back to some of those internal corporate silos, against a backdrop of the modern day converged threats. At this juncture it may be appropriate to punch some holes between those various areas of operational, and administrative ownership, examples of which are:
Physical Security
Human Resources
Data Protection
Internal Audit
Information Technology
Telephony
Partners and Outsourced areas
The Business
These various areas of operational and administrative domains each clearly have their part to play in securing the business, and extended operational enterprise. However, whilst there is no doubt that within their own ownership domains and disciplines, they are very effective at delivering their focused services in support of the business mission. However, the problems the silo-effect can present are, lack of communications, lack of a holistic views, and quite simply, such an approach can be devoid of any joined up thinking. There are many real life examples in both the Private and Public Sectors, where for example, the Physical Security Division, does not freely communicate with the area of IT. Where IT does not have close operational relationships with Human Resources, or where the Business deal with their own security challenges inter-department.
As an example from such an encountered event in a Private Sector, in a business we shall refer to as Organisation A. Now Organisation A followed very strict disciplines where the various areas of Physical, IT, and so on, where very much owned, and dealt with by designated responsible managers. One a Monday morning, the Service Desk of Facilities, and Physical Security received a call from a senior member of the Accounts Department, reporting the theft of a 32 GB USB Drive, containing Business Accounting Information. A scripted, process driven response was followed, and the caller was asked for their details, when, and where the item was stolen from, and to confirm that the incident had been reported to the Police, to ascertain if responder had a crime number. At the end of the brief conversation, as it was the Facilities Department who managed assets such as portable media, the user was advised to notify their immediate line manager in order that a new asset could be reissued. This was done, and within 24 hours, the newly supplied, much larger drive was again populated with critical Business, and Accounting information assets, and all was well. However, I am sure that the security savvy amongst the readers have seen the Black Holes. What was the value, and sensitivity of the Information Asset(s)? Where they encrypted? Does this incident present any potential to impact reputation? Just in case you are wondering, the drive contained 15 GB of the most sensitive of accounting Information Assets, and they were NOT encrypted! Even more worrying was, the person who had lost the drive was in fact leaving the organisation at the end of that calendar month!
In the aforementioned real life outlined scenario, it soon becomes clear that the there was a very real and immediate need for a converged response, encompassing Physical/Facilities, IT, Human Resources, and the concerned Business Area. Such a path of converged response supports opportunities to leverage, and take value add input from each owner area to protect the Business. A further advantage of achieving a Holistic View from such a partnership of responders is that everybody learns from the event – in other words Joined-up-Thinking.
Thus, accepting that in the modern operational enterprise, Business Critical and Sensitive Information Assets are populated across multiples of systems, PC’s, Workstations, and at times, hand held devices, such as Smart Cell Phones. So it is equally important to assure commensurate and appropriate Access Controls and Tracking are in place – Do you care if Dave, or Julie from the Accounts, or Treasury Department accesses, move, rename, or copy sensitive account files early one Monday morning? Should you care if such Information Assets are mailed out of the organisation to a personal Google Account? In all of the above, I feel most, if not all, CFO’s would require clarifications that an agreed set of security policies and controls were deployed to serve the business with security.
It is asserted that most businesses would wish to have secure and appropriate Access Rights, and Access Controls in place, and that access to, and manipulation of Sensitive, and Critical Information Assets would be accommodated with high levels of visibility and tracking. It is a further assertion that most responsible organisations would require deployed technological solutions, and associated processes to underpin tracking of actions, leading to accountability, and even where necessary supporting a Forensic First Responder Activity for purpose of follow up investigations.
With a model of Converged Response Capabilities deployed, with security resources, disciplines of a Virtual Security Team, it is possible to increase the intrinsic value of the overall Security Mission to the complete advantage of the business. Add to these technological capabilities First Responder Digital Forensics, and Reporting, and whilst they will not enable 100% Security, they will provision the business with a significant increase to the overall Security Mission to preserve, and secure the integrity of the organisation. Furthermore such an approach will accommodate the business with real-time, response and timely security capabilities to enable detection of any adverse matters of security interest before they have a chance to take a big bite out of the corporate apple. – With what we now know, in this age of converged threats, anything less will simply not suffice.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.