Page 25 - PWM_OCTOBER 2021 EBook
P. 25
BETTER BUSINESS
the firm’s cyber ecosystem is essen- that the probability of a fine is tiny,
tial... and not just focused on the data but the risk of criminal sanction
that resides on the various IT systems under the GDPR is not: “Criminals,
it may have”. like regulators, have limited budgets
Davis, on the other hand, would and look for ‘low-hanging fruit’. If you
create a budget and appoint someone can make your business more secure
at board level to maximise its use. He than your competitors, it will be
would bring in an independent con- enough to persuade some criminals
sultant to consider where the budget to look elsewhere for a softer target.”
should be spent. He also cautions Beyond that, Isbell says that a firm
against placing too much reliance on that does nothing should expect to
specific security products, “many of suffer a breach at some point, if they
which are good, but which solve only haven’t already. But apart from imple-
the security issue that the particular menting security, he states that “it
vendor advertises”. also requires some form of monitor-
Staff training is something else to ing… and if no monitoring is imple-
consider. While it’s not foolproof, the mented, the firm will not know it has
more staff training, the lower the been breached until the breach is
probability that a staff member will made public by the threat actor”. And
introduce harm to the business. when this happens, there comes a
But as Davis warns: “Training natural question: who would trust an
needs to be regular. There is little organisation that does not take secu-
point in only training during induc- rity seriously?
tion week and then not following that Further, there’s the risk of corpo-
training up with regular reminders… rate failure. Canada’s Nortel
staff may be sent a malicious email Networks Corporation filed for
containing a spurious link at any bankruptcy in 2009, having once
time.” been valued at a third of the entire
Isbell too values training. He says: worth of the Toronto Stock
“The most efficient and well under- Exchange. Its technology and intel-
stood security environments I have lectual property had been stolen by
witnessed are where the company has Chinese hackers who had infiltrated
worked to develop security as part of the entirety of the company’s sys-
the culture of the organisation. tems in 2000. The breach was dis-
A combination of carrot and stick is covered in 2004 but not fully cured
used to great effect without default- by the time of the company’s bank-
ing to a punitive strategy on what ruptcy. Davis says that the breach is
happens should a breach occur.” widely regarded as being one of the
And then there’s the option of plac- prime causes of the company’s fail-
Security is a relative term ing a warning on every email which a ure.
No system is perfect. But Davis knows “that the amount of effort it takes to staff member receives warning them And then there was the case of
breach a system is proportional to the amount of effort taken to secure the if an email has come from an external Code Spaces, a hosting service,
site in the first place”. He cites one of the first ever recorded security breaches source and that it may be malicious. which, in 2014, had no recovery plan
where a website could be hacked by clicking on a certain part of the web page On this Davis thinks warnings are and consequently was unable to con-
in a public part of the site with the mouse. Doing so revealed other customers’ unlikely to be of much assistance – “it tinue in business; Stuxnet which
details. is likely to be ignored as the staff resulted in the destruction of Iranian
Moving on, Isbell talks of a process developed by Lockheed Martin that member is anxious to read the email nuclear centrifuges; and an attack on
maps the stages of a cyberattack. Called the ‘Cyber Kill Chain’, he says that the not the header, let alone the repeat Saudi oil company Aramco which, in
steps involve reconnaissance, weaponisation, delivery, exploitation, installa- warning in the header”. 2012, resulted in the destruction of
tion, command and control, and ‘actions on object’. “Each step,” says Isbell, Crucially, Isbell recommends over 35,000 computers. Oil produc-
“is required for the subsequent step to have a chance of being successful. including cyber security breaches as tion was put at risk and the company
Therefore, a security breach is not a single event or tool, though it often part of business continuity disaster had to resort to fax and typewriters.
appears this way, but a combination of knowledge, skills and intelligence recovery planning: “Whilst some
used in sequence to achieve the effect or outcome the threat actor wants to firms have been unable to continue In summary
achieve.” after a cyberattack, those that have So, when evaluating security and
For him, the only way to achieve 100% security is for a system to not be had a robust incident response plan whether their business is a target,
connected to any form of external communications. He emphasises that have not only been able to recover but printers need to consider not just
cyber security is about managing risk: “This requires that we spend time eval- recovered faster and as a conse - themselves but also their clients.
uating and understanding the cyber environment and what it is we need to quence, minimised the overall impact They ought to consider what would
protect; it is not always the data that requires protection, but the systems on the business and its operations.” happen if hackers were to gain access
themselves.” to systems, hackers could make more
The risks from doing nothing by not revealing that a breach had
Countering threats Firms that do nothing, and which suf- occurred by, for example, introducing
As both Isbell and Davis detail, there is no easy way to counter cyber threats. fer an attack, risk legal fallout. Davis malware and seeing what was printed
Apart from a company’s own systems, Isbell would also look at the supply points first to the fines for poor secu- before it was published.
chain, “especially where industrial processes may share data between firms”. rity under the civil part of the General
For him, having a strategy is key, and for that to work “an understanding of Data Protection Regulations. He says Management has been warned.
www.printweekmena.com October 2021 PrintWeek MENA 25
