Tech leaders have long been telling anybody who will listen that the biggest cyber security threat they face is not state-sponsored, geopolitical or clandestine. It is in fact much closer to home.
Take, as evidence, the latest research by IT Governance’s Boardroom Cyber Watch 2013 survey. Accordingly, 53 per cent of senior company executives said the main risk to corporate data and computer systems is from their own employees. A case of human error, carelessness or ignorance? In some cases it’s a combination of all three.
By comparison 27 per cent cited cyber criminals, 12 per cent state-sponsored cyber attackers and 8 per cent competitors as the biggest single security peril.
The report was published in the same week that NHS Surrey was fined £200,000 after a hard drive full of data was bought on eBay . The hard drive contained 3,000 patient files. Coincidence of timing? Those IT managers and directors that warn of the malign influence of the “accidental cyber criminal” think not. Here was just another case of serious data loss that had very little to do with hardened criminals or criminal states.
The survey is a useful antidote to the mainstream coverage of cyber security in the past weeks and months. That’s not to down play those forms of threat and the publication of the government’s cyber security strategy in February is evidence of how seriously the risks are taken. A quarter of the 260 respondents to the IT Governance survey said their company had come under a “concerted attack” over the last year. Another quarter (the same quarter?) admitted that fear of attack kept them awake at night.
Chloe Smith, minister with responsibility for cyber security (yes, there is such a role) told a recent Prospect roundtable debate: “I don’t think there has to be a trade-off between being skilful online and being able to deal with these threats. It should be the same thing.”
All this notwithstanding, the propensity of human error-induced risks does suggest that, as measured by column inches, most people are looking in the wrong place. The accidental cyber criminal may be a less interesting story but it is, for most organisations, a more significant one.
As we’ve noted before the answer to cyber security threats “is as much about policy and due diligence as it is about the underlying technology. And as always for the IT department it’s about managing expectations upwards.”
This is reflected in the comments of IT Governance CEO Alan Calder:
“Companies are not ignorant of the risks: 77% of bosses told us their organisation has a method for detecting and reporting attacks or incidents. However, in the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations.”
Whether it is the role of the directors to ensure they are less “removed” or the IT department to keep them more involved is another question. A combination of the two would appear sensible; IT representation on the board even more so.
In that earlier post we suggested that if unwanted access was the biggest threat, then a couple of obvious stress points in modern computing architecture are co-location and mobility. For NHS Surrey the point of stress, according to the information commissioner’s office, was an ill-advised outsourcing deal.
“The result was that patients’ information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case,” said Stephen Eckersley, the ICO’s head of enforcement.
-Ashley Gatehouse