Business Continuity Awareness Week and FICO raises the question “are you sitting comfortably?” One might not be if one has read all the articles about taking cyber security to the next level, or what is now known as cyber resilience.
How does cyber resilience manifest itself? How can one start to make oneself – not just a business – impervious to a cyber attack?
The first thing is to assess vulnerability and impact. What would be the outcome of some or all of ones online credentials being compromised? How would one know, how to cope, what is to do? Focusing on the impact (or outcome) rather than simply the risk helps make it a more personal and thorough assessment.
The question “How would one know?” is particularly interesting. How many people have ever done an internet search for their name to see what pops up? Many would be astonished at what is listed and publicly available! Using a mother’s maiden name or a date of birth as one of your password keys, one rapidly learn how easy it is to find this information online, which is certainly a motivator to change those password keys. Information is an asset and should be treated in the same way as physical assets.
The key to continuity is contingency — having a back-up plan for when things go wrong. One may have a torch or some candles and matches in case of a power failure at home, or a back-up generator for the same eventuality at work. The same idea applies in an online context. Many of us have more than one internet-enabled device, phone, email account, social media presence or online payment means. Some of this is down to choice, some out of practicality (such as the need to keep business and personal matters separate), but a great deal of this inherent contingency is based upon an insatiable desire to remain connected, available, enabled, vital.
But just having more (devices or greater connectivity) doesn’t really mean one is better protected. Some years ago a national emergency services telephone number became interrupted and unavailable as a result of a contractor cutting through the main cabling by accident. Many experts considered this impossible because it was believed that there was a fully redundant separate cabling. The problem was that the contractor had struck at a point which fed both the master and the back-up communications system – essentially further back up the value chain.
The same risk is true for cyber security. If ones protection has a single point of failure — a common key or password that applies, sometimes but not often with limited variability, to most online accounts — one is in trouble. Once that security is compromised — whether accidentally through inadvertent disclosure or malware, or deliberately as a consequence of social engineering or careless practice — a cyber crook can access one most personal and sensitive details across multiple points. This is a case of the general public seeing convenience as far more important than robust and layered security, despite fears of identity theft.
So what is the answer? The public hate needing different passwords or codes but until there is a fully robust and interoperable means of authentication this is vital. And this is where resilience comes into its own: If the public cannot or will not comprehensively secure their data, they must instead take steps to adequately withstand its disclosure should compromise arise.
One of the key principles of data protection is to render data useless, generally meaning that information is only relevant and current for the purposes of use and access at, or very near, the point of disclosure, and thereafter becomes worthless. That state is some way off in today’s open cyber society, but the ability to consciously withstand attack, compromise or maltreatment of sensitive and personal data is an important step.
This article was published by Bankinganalyticsblog.fico.com – An excellent industry advisory service