Cyber Security is not about technology. Cyber Security is about managing a corporate risk and that means assessing it as a whole: People, Process and Technology and putting up the correct level of mitigation. When I read about Cyber Security all I seem to see is technology that I need to buy to prevent bad people gaining access to my network, PC, Tablet or Phone. Technology is one element and to my mind something the technologist should be left to once the risk is evaluated and understood. Without understanding the risks it is easy to spend a fortune on the latest cyber-proof widgimewit which is actually unnecessary for your level of risk and isn’t doing much for you.
One area I see constantly neglected is staff training. When I first started to work in an office, we were fairly good at managing and protecting our information. We were trained on the filing system, and cabinets and offices were locked at the end of the day. If a file was loaned, tracers were used and the office I worked in used a marking system so we know how much of various pieces of information we could share, which I understand was common practice in most large companies. If you dare mess up the filing, not complete a tracer card or not enter a new document into the register you risked the wrath of the office manager.
With the use of electronic filing systems discipline seems to have gone out of the window, along with the training that went with it. After all the technology will take care of it won’t it? No. And these bright young people we employ will work it out from themselves won’t they? No. The technology not only brings with it a potential for poor information management processes, it also brings additional information security headaches and they can’t all be solved with technology. Take the recent example of Lincolnshire County Council. Last week they experienced the dread of a Ransomeware attack. A piece of malicious software that scrambles the data on computers rendering it useless. For a fee the attackers claimed they would provide the key to unscramble the data. It was reported that the council did not pay the ransom. That was the right thing to do, but they subsequently spent considerable time fixing the problem during which no IT was available and effectively, business was suspended. This must have cost the Council, not only cash, but also damage to their reputation. What caused the problem? A link in an email was clicked by a member of staff and this triggered the malware. I have to say, there but for the grace of god go I. Only this week I was nearly fooled by one of these emails, but the knowledge I have makes me a little more cautious and makes me always have a second read. It is time that we re-instilled the discipline and training that we used to have around information. I am not saying that training would have prevented the particular incident in Lincoln, but it could have.