Cyber Security

One area we have been involved with for many years is cyber security, but for obvious reasons we have not been able to say much about our clients experiences.

However, now that in the post Snowdon era this topic is so relevant to all businesses we feel it important to at least make some general observations on network and operational security.

Back in 2010 the then head of the NSA's Information Assurance Directorate made the point that there were only two types of network - those that had been compromised and the owners knew it and those that had been compromised but the owners did not realise it.

Now you might feel that's a bit extreme but on reflection it's not a bad starting point for LAN & WAN security.

The point Debora Plunkett of the NSA was making is that any business should assume its security will be compromised one day and that there is no such thing as total security. The clever stuff is in knowing how you will respond to an incident when it happens. You also need some way of monitoring to find out when you've been hacked before all your customer credit card details or payroll turn up in Pastebin!

So what can you do?

First, adopt an approach which accepts that hacking of networks is now big business and no longer the domain of spotty 16 year olds in bedrooms. Certainly this sort of attack still goes on but the big money and effort is in organised crime and state sponsored hacking, and likely to remain so. Credit card details, bank accounts, verified address, sales contracts and so on are all targets.

Make sure the approach of staff to computers in the workplace includes an element of Operational Security - OpSec. Get them to understand that a USB key can ring down the entire company if it carries a Trojan. Make them aware of Phishing attacks and how to detect them. Get them to question what they see on screen and how they respond. 

No amount of technology in the form of firewalls, IDS (Intruder Detection Systems) or Global Lockdown Policies can equal a thoughtful employee who notices odd behaviour on his or her computer.

If you are interested in our experience in this area, we are happy to say we've worked on incidents in offices and on sites ranging from a handful of Lawyers to country spanning multinationals as well as Government departments and would say that in every case whilst there is never a guarantee of protection if one is connected to the Internet there is always a process and procedure for managing the attack when it comes - as it surely will.