Why should it be a business priority?
October is Cybersecurity Awareness Month. But what is cybersecurity, and why is it important? We’ve covered a multitude of topics that fall under this description, but we thought it would be useful to go back to basics and review exactly why cybersecurity has become a key organisational priority. If it is not currently a pressing matter on your board agenda, we hope this article will convince you that it should be.
What is it and how long has it been around?
“Cyber” as a prefix has slipped into our vocabulary almost unnoticed. The first recorded use of the word “cybersecurity” was in 1989. “Cyberspace” predates it by some seven years. “Cybercrime” “cyberattack”, “cyberart”, and many other derivatives soon followed. If you’re tempted to write “cybersecurity” as two words, you won’t be technically wrong, as the word has not yet “settled” in our language. But the Oxford English Dictionary (OED), Merriam-Webster Dictionary and US National Institute of Standards and Technology (NIST) all favour a single word.
What does cybersecurity mean? Conduct an online search for “what is cybersecurity?” and you’ll get as many different definitions as you will results. The OED defines it as: “The state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this.” The NIST definition is more succinct and all-encompassing: “The ability to protect or defend the use of cyberspace from cyberattacks.”
Although cybersecurity is sometimes used interchangeably with “network security” and “information security”, NIST differentiates between these terms. Information security is “the protection of information systems from unauthorised access…to provide confidentiality, integrity, and availability.” Information security refers to all information assets, whether hard copy or digital. Network security “protects network traffic by controlling incoming and outgoing connections to prevent threats from entering or spreading on the network.” Next time your IT manager is briefing you on the state of your IT security, you’ll know what they are talking about.
A brief history of cybersecurity
The word might have been coined in 1989, but the concept emerged as early as the 1970s. The first computer “worm” was created in 1971 by Bob Thomas at BBN Technologies in Massachusetts. It was called “Creeper” and is famous for displaying the message, “I’m the creeper, catch me if you can!” It infected DEC PDP-10 computers running on an operating system called TENEX. In 1988, Cornell University graduate student Robert T Morris created the first internet worm. He was also probably the first recognised cybercriminal, being the first to be convicted under the Computer Fraud and Abuse Act in the US in July 1989.
Morris was curious about the size of the internet and created a worm to measure it. The aim was to infect UNIX systems in such a way that he could count the total number of connections on the web. He designed the program to infiltrate UNIX terminals and replicate itself. However, a programming error meant that the worm behaved aggressively, clogged networks, caused systems to crash, and slowed the internet to a crawl. It is considered one of the first programs designed intentionally to exploit system vulnerabilities.
This marked the beginning of both cybercrime and cybersecurity, as unscrupulous computer scientists began developing more “effective” worms and viruses. In turn, antivirus solutions emerged. Those of a certain age may remember purchasing antivirus protection for home pcs, updating the software annually or only slightly more often – unbelievably infrequently in today’s terms.
What needs protecting?
As our use of information technology becomes more sophisticated and more pervasive, the breadth and depth of protection required to continue to expand. We’ve written at some length about the importance of protecting your IoT-connected devices. Just over 20 years ago, no one had heard of the Internet of Things. (Although there are some examples dating back to the 80s, the concept was named in 1999 and only emerged as a recognisable system c. 2013.) Now connected devices represent a significant threat as entry points to your network.
Elements of comprehensive cybersecurity include:
- Network security (discussed above)
- Application security – regularly updating your apps
- Endpoint security – securing remote access points to your network (particularly important as more employees are working from home; this includes IoT devices discussed above)
- Data security – protecting your company and customer information (even more important since POPIA came into effect on 1 July 2020)
- Identity management – managing the access levels for all individuals in the organisation
- Database and infrastructure security – databases underpin everything in a network; they need to be kept secure, and your hardware and devices need to be protected against theft and loss
- Cloud security – protecting your data in an online environment
- Mobile security – cell phones and tablets present their own security challenges
- Disaster recover/business continuity planning – what you will do if you suffer a data breach, cyberattack or business disaster such as a fire?
As this list shows, cybersecurity encompasses much more than just keeping your website safe from DDOS strikes or educating employees about phishing attacks.
What are the risks of inadequate cybersecurity?
Effective cybersecurity is critical in the running of a successful organisation, whether commercial or otherwise. As the majority of business processes are automated, and almost all customer/client information is held electronically, trade can literally grind to a halt when systems go down.
To understand the importance of cybersecurity, we need to consider the risks you face in its absence. Cybersecurity does not give you productivity gains in the way that certain apps or software packages do; it protects you from losses, some of which could be catastrophic. The cost of a cyberattack can be substantial, in terms of lost business, recovery costs, and even regulatory fines. If you suffer a ransomware attack and elect to pay the ransom, you could be looking at millions or even hundreds of millions of rands’ worth of loss. If you experience a data breach and your customers’ personal information is exposed, you could suffer considerable damage to your reputation.
Hackers and threat actors are gaining in sophistication and cyberattacks are on the increase, with new tactics springing up all the time. Cybercrime is now big business, and fighting it is a job for specialists. It is not an activity that can be tacked onto a busy IT manager’s job description.
Furthermore, investors, customers, suppliers and other stakeholders expect to see cyber risk strategies as part of IT governance. Boards need assurance from their management that risks have been thoroughly considered, and containment measures are in place, and those boards, in turn, are accountable to shareholders/stakeholders. A company without cyber risk management and robust cybersecurity is a poor investment prospect.
Because not all organisations face the same risks, a one-size-fits-all cybersecurity package is not appropriate. It makes more sense to review your risks on a regular basis and assess the suitability of your current security measures relative to the constantly evolving threat landscape. It is a waste of resources, both financial and human, to expend energy on protecting your organisation from threats that are irrelevant to you. A risk-based approach means your regular reviews will identify new risks as they emerge, for example, if you add new IoT devices or begin to allow employees to connect their own devices to your network (a practice called “BYOD” – “bring your own device”).
How do you know if your cybersecurity is adequate?
No system can ever be 100% secure. Threat actors are simply too many, too prolific and too technologically advanced for the security industry to mitigate every risk there is. To manage risks within your risk appetite, you need to undertake a vulnerability assessment. You need to know your vulnerabilities and the threats that might exploit them to understand the risks you face. Then you can decide whether to tolerate a particular risk, treat it by implementing security controls or remove it altogether by eliminating the activity giving rise to the risk. You can also share risk via insurance.
Cybersecurity – not just for big business
Whatever the size or nature of your organisation, cybersecurity is vital to your success. It isn’t just large companies like Garmin and Honda that fall prey to ransomware attacks. Organisations of every description – for-profit, government and non-profit alike – are regularly victims of various types of malware. According to Mimecast, in an eight-day period in July this year, in South Africa alone, there were more than 116,000 attacks by threat actors. Small companies are sometimes targeted precisely because their security is weaker, and they are easy targets. Poor cybersecurity exposes you to the risk of financial loss, reputation damage, regulatory sanction, loss of investor confidence, and customer dissatisfaction. You can’t afford to ignore it.