Cyber security

Cyber-defence must be holistic

Published

Breaking down organisational silos is the only way to counter cyber-crime, says alumnus Dinos Kerigan-Kyrou.

In 2014 several of the countries that comprise NATO started to realise that cybersecurity attacks on business and industry were as much a security threat to the countries of NATO as anything posed by hostile militaries. Such cybersecurity threats can undermine the economic foundations of countries by destroying the companies that comprise their business community.

Cybercrime comes in many forms. 'Hacktivists' bombard companies and governments with coordinated attacks to bring down their websites. Ransomware locks down computer systems until a payment is made. And fraudulent online activity – targeting banks' customers and employees – costs vast amounts each year.

Even more worryingly, our critical infrastructure – including banks, our water supply, our electricity and fuel, our telecommunications, transport and health services – is becoming increasingly 'smart' and interconnected. This ‘Internet of Things' makes everything from monitoring your heart rate to running a power station much more efficient and productive. But it also produces cybersecurity vulnerabilities for those who want to cause harm. The former US Secretary of Defense, Leon Panetta, has spoken of a future terrorist attack on critical infrastructure as a possible ‘Cyber Pearl Harbor’.

Of equal concern is the cyber theft of Intellectual Property, happening right now ‘on an industrial scale’, according to GCHQ’s National Cyber Security Centre. This has the potential to wreck multi-billion dollar enterprises, ruin hundreds of thousands of jobs, and even to crash entire economies. It is a particular concern of the United States which sees such IP theft undermining its economy and therefore its national security, and it's why the threat was highlighted by President Obama in 2015.

A corporation such as a pharmaceutical company may invest up to $15 billion in the development of a new drug. A company, individual, organised criminal, or even a country, can manipulate the victim's systems with a fake communication, known as a spear phishing email. Once the hostile actor is in the victim's system it aims to remain hidden. This is why IP theft is such a concern. There's no flashing monitor, no demand for a ransom payment: the goal is to hide and watch what's going on, stealing data, development, and critical information at will. Even worse, there is increasing evidence that criminals are manipulating data as well. Research for a new drug, or for a new car engine, is increasingly stored, not in a lab or workshop, but in ones and zeros. This data can be manipulated in subtle yet massively destructive ways. Small changes to the victim's data can destroy years, and billions of dollars’ worth, of research.

As NATO, law enforcement agencies, Oxford University’s own cyber security network, and many other organisations have stressed, the vast majority of cybersecurity breaches are caused by ‘people and process, not technology’. Modern cybersecurity fraud is far more about social engineering and deception that it is about a smart 'hacker' penetrating into systems.  And yet most businesses and organisations persist in leaving the protection of critical information and data solely to their technical departments.

Of course the technical jobs of patching, firewalls, updating virus checks, and penetration testing will always remain vital. But they are simply not enough. Security needs to be central to every single business decision and process by every employee. It's not only an IT issue – it's an every person, every department issue.

When I participated on the Oxford Strategic Leadership Programme (OSLP) in 2007 I was introduced to the ‘Generally Agreed Management Principles’ of Professor Leonard R. Sayles. Even back in the 1960s Professor Sayles was hugely critical of the classic, hierarchical company, arguing that silos and isolated departments can wreck business performance and potential. This is even more true today. The company or organisation that divides into silos, functions and sectors is potentially at great risk of a cybersecurity breach. Conversely, a company that is organised and behaves holistically, where every employee is responsible for the company as a whole rather than 'their' individual sector is vastly more resilient and prepared.

OSLP also emphasised that leadership and development is about empowerment of employees and colleagues, encouraging them to take the lead and create solutions to problems themselves. One important security exercise, for example, is for an organisation to assume a breach has already occurred and encourage every single member of staff to identify anomalies.

Companies have to act holistically; they have to eliminate the idea of 'blame' or 'fault' for a cybersecurity breach and ensure that every employee is empowered, indeed rewarded, for identifying problems and anomalies at as early a stage as possible. If not, they are going to find it difficult, if not impossible, to address the new and ever developing cybersecurity risks they face.

Dinos Kerigan-Kyrou is an alumnus of the Oxford Strategic Leadership Programme.