25 years ago
In 1993, we’d had PCs for a dozen years and Windows was just eight years old. Back then cybersecurity wasn’t a well-known term, protecting against attacks was largely a case of installing an anti-virus programme and insisting on password-controlled access to computer systems. Break-ins were rare. Their impact irritating, yes, but certainly not business threatening. Any issues could generally be resolved by restoring a backup and that was that. The impact of cybersecurity compliance on directors was minor, most didn’t notice it at all.
In 2018, things are very different
The apparent rewards to those who commit cybersecurity attacks are much higher, it’s no longer an ego driven activity undertaken by slightly sad individuals in darkened rooms. Its ruthlessly professional, frequently state sponsored and there is lots of it too.
Our pervasive interconnectedness and a massive number of connected devices of all types, plus the huge increase in transactions involving sensitive data, means that there is much more to target and to protect than ever before. Many organisations still think of themselves as safe and protected from an attack. In reality, there are now two types of business, those who have suffered a cybersecurity breach and those who will soon suffer one. The question is when, not if, they will succumb.
Customers are much more sensitive to their personal data, who has it and how it’s used. If their broadband supplier suffers a major breach they will leave in large numbers, as Talk Talk knows to their cost. Cybersecurity is genuinely a business-critical issue.
Finally, legislation has changed, there has been blanket coverage of GDPR, many data sensitive industries have additional regulations in place, such as the FCA. There are ISO standards to follow to show compliance and government sponsored training courses like Cyber Essentials too.
All of this means that cybersecurity must now be a board room issue, not only in the interests of the business running smoothly, but also to recognise the personal responsibilities of the directors to protect data, follow best practice and report any breaches.
How to handle this?
Firstly, this is absolutely not just an IT issue, it’s a company-wide one, everyone is involved and all their activities and compliance need to be monitored. Having up to date security systems and software isn’t enough either, there is a requirement to have up to date policies in place and communicated too.
Secondly, cybersecurity cannot be delegated to an external body. The GDPR regulations are specifically written to make clear the data owner and the data processor have responsibilities to protect personal data. Everyone needs to have policies and cybersecurity protection in place.
Third, breaches likely to pose a risk need to be reported to the ICO within 72 hours.
Finally, following the logic that all businesses will experience a cybersecurity breach at some point, it’s very important to demonstrate that policies, processes and tools are in place and up to date. Doing this will not only minimise the impact of a breach, but it will also demonstrate that the regulations were being competently applied beforehand.
The Practical Problem
The practical reality of fulfilling all these requirements is very difficult to manage. There are software tools which can monitor your computer systems and track staff behaviours, like password compliance or anti-virus use. Others that can protect your Wi-Fi and Wide Area Networks. And more still, to filter incoming emails for threats and monitor your websites for break-ins or hacks. Plus, it’s also necessary to generate and keep up to date a range of compliance documents. It simply isn’t possible to monitor everything all the time without considerable effort and skill.
That’s the business problem that caused Jon and Steve to found ThreatAware. Their goal to make this morass of activity and checking simply and easily understood and monitored and to help directors demonstrate that they are following best practice.
ThreatAware is a tool which brings all those cybersecurity threads into one single dashboard with easy to read Red (take action) Amber (be aware) Green (no issues) colour coding.
Active checks bring the results of all those cybersecurity monitoring tools into one place and keep the results up to date, in real time.
Operational checks manage the provision and updating of all the policies and processes required to comply with several cybersecurity standards like ISO270001 and GDPR.
True Status indications keep all issues visible on the dashboard until ThreatAware knows they are fixed, not just until they have peen passed to an engineer.
Back to 1993?
Sadly, nothing ThreatAware can do will return us to 1993 running windows 1.0 on the IBM PC. No one can make cybersecurity less of an issue or remove the need for compliance with all the director’s responsibilities that brings.
However, ThreatAware does make it much easier to monitor people, processes and tools to minimise the risk of a breach, if or when one occurs and to demonstrate good practice. Some progress at least!