
Posted on 2025-01-08 by Nathan Jarvie in Industry
Cyber Security is, without a doubt, the fastest growing concern of any business in the modern age. With major breaches reported daily, many of which cause significant impact to their customers. I’m often struck by how much opportunity there is to enhance executives’ understanding of the cyber threats their organisations face.
A good Cyber Security culture starts at the top, and a little knowledge can go a long way to protecting every aspect of the business. When a business leader has a fundamental understanding of Cyber Security the culture of the business shifts and permeates through the rest of their department.
In this blog we will go over some Cyber Security basics that every business leader needs to understand.
Executive summary (TL;DR)
Cyber Security risks are just business risks wearing different clothes. When managed this way, business leaders are able to better utilise resources and determine a course of action if required. When business leaders take an interest in Cyber Security, so too does the rest of the business. Attacks like phishing become far less likely to be successful. Notably, this works in reverse with business leaders palming off Cyber Security issues to others as it’s “too hard” or “someone else’s responsibility” (normally the IT Team), leaving holes that can be exploited.
The CIA Triad is a Cyber Security concept in which the Confidentiality, Integrity, and Availability of resources is weighed. Each department will have different priorities in order to function optimally. A department such as Human Resources will have a higher priority on Confidentiality and Integrity, where emergency services will have a priority on Availability.
With this in mind, cyber risk is managed in the same way as any other business risk, by assessing how a cyber event may impact the CIA of the target resource, and how likely that is to occur. This then determines the amount of resources the business is willing to commit to resolve the issue.
There are steps that can be taken, such as working the business towards adhering to a Cyber Security framework, such as NIST or ACSC’s Essential 8. While compliance with these frameworks does not make the business invulnerable to cyber attacks, they do make them less likely to succeed, and provide guidance around what preemptive steps can be taken.
A little knowledge goes a long way
This blog is not designed to make you an expert in 10 minutes, but rather to help understand how Cyber Security may impact your corner of the business. Whether that is finance, human resources, development, inventory, every business leader needs to have a basic understanding of Cyber Security risks. I am not saying every leader needs to be a Cyber Security expert. Far from it. But understanding the fundamentals can help to make better business decisions.
Let’s use an example.
A warehouse manager for a major retailer, whose job it is to manage both the stock and personnel of that warehouse, may consider IT and Cyber Security incidents to be outside of their realm of responsibility. However, they do understand:
- How much stock they have on hand.
- What the value of that stock is.
- Who their staff are.
- Who is authorised for what action or access.
- How deliveries and shipments are handled.
In regards to Cyber Security, they may also know that if the systems go down for a period of time that will cost the business a certain amount per hour; or that if the inventory management software they has incorrect stock levels, that may trigger a response (such as a stock take or investigation).
Now let’s say there is a known vulnerability in this inventory management software that allows a malicious user to arbitrarily modify stock levels. Inventory may start going missing, but the software remains accurate, costing the business money in lost product. This is undoubtedly a Cyber Security issue, but the warehouse manager would surely want to know about it to ensure it has not been exploited, as this is happening within their realm of responsibility.
The basics
Cyber security is largely common sense wrapped up in jargon and complex concepts. This makes the prospect of understanding it daunting for anyone who doesn’t come from an IT background (and even many who do). But once you get past the jargon a bit, the rest of it is relatively straightforward. Cyber Security risk is simply a subset of business risk. It is managed in the same way. Business leaders do not need to understand every way a hacker may infiltrate their systems, but when considering Cyber Security risks they do need to understand how their department runs and ask the questions:
- What happens if someone was to steal the data on these systems?
- What happens if the systems stop working?
- What happens if the data on this system is inaccurate?
The aim of the game is to protect the business against attacks that prevent the business from functioning optimally. This may be:
- Intellectual properties
- Payroll and finances
- Databases of client information
- Assets, etc.
Protecting these components prevents the business from impacting operations and financial or reputational damages.
Often when a penetration test has been performed, or a Cyber Security incident has occurred, remediation is required. This will impact the responsible department in some way. Understanding why the remediation is taking place is better than just “because the security team says so”.
This all starts with understanding the CIA triad, and how it relates to your corner of the business.
The CIA Triad
CIA stands for Confidentiality, Integrity, and Availability, and the CIA triad is the pillar of all Cyber Security. The concept of which is that risk is assessed based on which of the aspects it will impact.
- Confidentiality - Data stored on the systems cannot be read or accessed by unauthorised individuals. This is key in protecting sensitive data such as Personally Identifiable Information (PII).
- Integrity - The data cannot be changed or altered by an unauthorised individual and will remain accurate at all times. This also applies to ensuring the data comes from a reputable source and has not been tampered with in transit. This is essential for accuracy and can be critical to operations.
- Availability - Ensuring the data is accessible by authorised users whenever it is required. A loss of availability may cause operations to cease, resulting in losses.
Image credit: Geeksforgeeks.org
While Cyber Security teams will try to balance all three aspects to the best of their ability, not every business will prioritise all aspects of the triad. In fact, each department of the business will have different priorities entirely. While it is in the best interest of the business to attempt to cover all three, it may not be practical. This impacts which decisions can be made and what resources can be allocated to them.
Example time.
A hospital will generally prioritise the integrity of data and the availability of systems over the confidentiality of the stored data. This does not mean they do not care about it and will not do everything they can to ensure the data remains confidential, but there is a big difference between a patient’s medical data leaking to the public (confidentiality) and a malicious user changing the patient’s blood type and allergies (integrity) which may result in a loss of life. Likewise, if the HVAC system was to be taken offline that could result in unsafe conditions for patients and staff and compromised test samples and medications, which need to be kept at the right temperature.
However, a business working in research and development for the military would be more interested in the confidentiality of their intellectual property. While the systems going down for a period (availability) may be inconvenient, or historical data of old projects becoming corrupted (integrity) may be an issue, it would not end business operations.
Understanding which aspects most impact your roles and responsibilities can help you to prioritise Cyber Security efforts and make more informed decisions.
For more information on the CIA triad, Wikipedia is actually a great resource.
Cyber security risk vs Business risk
With an understanding of the CIA triad under our belt, we can start dealing with risks. Cyber Security risks are often measured by their impact against the target system. What they do not do is take business context into account. Cyber risk is a subset of business risk and the risk rating will change when put into the context of a business. This means that not all Cyber Security criticals mean that the sky is falling, it is important to think about the impact in the context of your business and department. A ransomware attack against the business, rendering all systems inoperable, will have a different impact depending on the business, or even department, function. One of our clients once told us:
If our systems are down, that is bad, but it would not prevent us from building a tower and completing the project. However, a critical risk to the business would be loss of life onsite. That would shut down construction and have immeasurable cost on the family and colleagues.
This means that a “Critical risk”, according to a third-party Cyber Security professional, may be awarded a lower risk rating when put in the context of your business. As more information about the context is learned, the initial rating is proven as inaccurate and changed to be more accurate. Conversely, a lower risk vulnerability, such as the ability to modify data stating a safety check has been completed when it has not, would increase from a Medium to a Critical.
With that in mind you can apply the business or department’s risk matrix to cyber security with a few adjustments.
Impact
The same logic applied to any other risk to the business is applied here. We take the vulnerability or event, and we determine the possible outcome in the context of the business. Some examples impact a Human Resources department may be:
Impact rating | Event | Description |
---|---|---|
Critical | Total breach of HR management system due to a successful phishing attack. |
All employee PII leaked including payroll details, addresses, phone numbers, etc. leading to possible identity theft of all staff and significant damages to the company (legal, financial and reputational) |
Severe | Payroll details for all staff leaked externally via a malicious insider. |
Internal sensitive documents for the company are leaked to the media disclosing remuneration for all employees, causing significant reputational damage and possible legal action. |
Moderate | Employee contracts are discovered in a file share that is accessible by all staff. |
This may result in some discourse and internal issues that can be resolved by the HR department, but may take some time. |
Low | A unauthorised list of all staff members is found on the company website. |
This information may not be public knowledge but does not, in itself, pose a risk to the users affected. |
Other examples may include:
- How much monetary loss the business can sustain.
- How much data can be lost before it impacts operations.
- How much downtime the business/department can afford.
- Whether or not an event may cause injury or loss of life.
Likelihood
We also need to factor in the likelihood of an event occurring. In the context of Cyber Security that is determined by a number of factors:
- Where could the attack come from? - Attacks that can be performed remotely are afforded a higher likelihood than one that requires physical access to the office.
- How complicated is the attack to perform? - Attacks range in complexity and are more difficult to execute than others. They may have a higher rate of detection, making them less likely to be attempted.
- Are there mitigating factors in play? - Security controls that can be placed in front of a vulnerable target (known as compensating controls) may assist in preventing some attacks by blocking certain activities. This makes the attack less likely to succeed.
- What resources are required? - Some attacks require specific prerequisites to be performed, such as an authorised account.
While many of these questions require expert knowledge in Cyber Security to answer, it can be broken down really into two main points:
- Is it publicly accessible?
- Can it be prevented?
A likelihood key for a cyber risk matrix may look something like this:
- Likely - The service is externally accessible and the public can create or obtain any prerequisites without company approval. (E.g. can create an account)
- Possible - The service is externally accessible but an attacker would need to perform extra work to gain access. (E.g. phishing for credentials or bypassing implemented security controls)
- Unlikely - The service is not externally accessible but can be accessed by any user within the network. Or it is externally accessible but there is a security control in place proven to prevent the attack.
- Rare - The service is not externally accessible and requires specific prerequisites.
From here you can integrate cyber risk into your risk matrix. This puts you in a position where you can more accurately decide on which risks are worth your time and resources, and which the company is willing to accept.
Compliance
Cyber Security frameworks are essential for ensuring that businesses adhere to their legal and social responsibilities. While compliance with any particular framework does not ensure the business is secure from all attacks, it does ensure that the company has performed a baseline level of defence.
There are many different security frameworks (NIST Cybersecurity Framework, ISO 27001, etc.) that can be used by businesses to try to add some structure to their security plan. The ins and outs of those frameworks, and how to implement them are something best handled by experts in the field. However, there are some smaller, more practical ones that managers should at least have a read of.
One such example is the Australian Cyber Security Centre’s (ACSC) Essential 8. Essential 8 covers the initial stages of IT security and guidelines for developing Cyber Security maturity, but the most important points for any data owner (i.e. department leader) are:
- Access controls - who can access what and under what circumstances.
- Data backups - How this is managed and who is responsible for it.
The Essential 8 provides guidance on determining the department (and business) maturity towards cyber threats and can help to determine a course of action to ensure department assets are protected. Like it’s bigger and more complicated cousins, the actual implementation of the recommendations in the guide are for experts to perform, but it does give some great guidance as to how and why department heads should take interest in Cyber Security. Ultimately it is the business’ responsibility to ensure that all the data they manage is sufficiently protected. This includes ensuring:
- The data is secure from unauthorised access to prevent sensitive information from leaking both internally and externally and protect all staff and business operations (confidentiality).
- The data is accurate to ensure that trust in the department remains high and that tasks may be performed efficiently (integrity).
- The systems are available for relevant staff whenever they are required to ensure that the department operates as optimally as possible (availability).
More information on the ACSC’s Essential 8 can be found here:
Next steps
With the above under your belt, making decisions in regards to Cyber Security and associated risks should be easier to understand. After all, Cyber Security risks are just business risks with extra jargon.
ACSC provides excellent documentation for learning more about the topic, which can be found here:
But most importantly, talk to your IT team about your current Cyber Security posture and feel free to contact us if you are not sure were to start.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
stock.adobe.com
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn