Posted 20 September, 2021 at 10:14
How important are policies and processes in comparison with technology, when it comes to Cyber Security and its sister discipline, data protection. The clue is that in Cyber Security we refer to People, Process and Technology, in that order.
Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike. This piece is all about policies and processes. First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on. Policies have to mean something and have a purpose. Many organisations I go to either have some very scant policies or actually, none at all.
I often talk about risk in terms of cyber security and how managing that risk is extremely important. And that means understanding what those risks actually are, and then taking steps to mitigate them. When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them. Well, it’s very often the case that technology is not the answer. There are many risks where a good policy, promulgated to all and understood by all, can save the company money.
A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business. How this is achieved is that the scammer, or lets call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who. You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email. Email spoofing, in simple terms, is sending an email purporting to come from someone else. So it arrives in an in box from the boss, but actually it’s from the scammer. Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency. This happened recently to someone I know, and when it arrived in the accounts department it didn’t look cosher to the payments clerk, who replied to the email asking if the boss was sure. Of course, she got an email back saying yes, I’m sure. She paid it and the company lost over 30K. The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different. If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction. Instead, she replied to the email and her reply went back to the scammer. A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.
Policies and attendant processes are essential for the protection of company data and the bottom line, company money. What needs to be covered and in what depth, depends on the risks that the company is facing, but for many to answer is very similar to the next company. In broad terms, and as an absolute minimum, the following are required:
These polices are not necessarily exhaustive. It depends very much on the risk assessment and the risks that needs mitigating. They will also be accompanied by processes to support the policy.
I wouldn't want people to go away thinking technology isn't important, it most certainly is, just that on its own, it won't give you the protection you think it does.
For more information, contact Kevin Hawkins of H2 Cyber Risk Advisory Services:
T: 0845 5443742
M: 07702 019060