Why I don’t talk about cyber security

Cybercrime statistics will make you lose sleep.

 

Baz Luhrmann told the class of ’99, ‘Do not read beauty magazines, they will only make you feel ugly.” I feel the same way about lists of cybercrime statistics. Don’t read them, they will only make you feel scared.

 

With one important caveat: I assume you (as a CIO or CISO or IT Manager or CEO or CFO or business owner) are sensible enough to already be afraid. You know that there are bad actors in unstable nation states around the world and that ‘Build Your Own DDoS Attack’ kits are going cheap on the dark web. And the rest.

 

Scaremongering should be reserved for the very last naysayers who maintain that ‘No one would bother attacking me’. That mentality truly terrifies me. Larger corporations spend millions on security. They are still compromised. Smaller businesses hear they are the most likely targets (advice from the National Cyber Security Centre). No size industry and no size business is safe.

 

But I still don’t want to talk about cyber security. I want to talk about cyber resilience.nnWhat is cyber resilience?nCisco, one of our major technology partners, defines cyber resilience as “an organisation’s ability to identify, respond, and recover swiftly from an IT security incident. Building cyber resilience includes making a risk-focused plan that assumes the business will at some point face a breach or an attack.”nnBeyond security: five reasons why cyber resilience is the goal

 

1. Total security is not the only ambitionn If the only goal was total security, we could close our doors and shut down access to the internet. But then we wouldn’t be able to do business. We need to do what is reasonable for our operations and our budget. n

2. Resilience is far more pragmaticnViatel works with many financial services businesses and credit unions who come under the auspices of the Irish Central Bank, one body that focuses on resilience over security. In their guidelines on Operational Resilience, the Central Bank recognises that not all potential hazards can be prevented. Therefore, they conclude, a pragmatic approach to operational resilience will strengthen the industry’s ability to respond to, recover and learn from such events.n

3. The resilience compliance loop

Compliance, regulation and audit are massive drivers of continuous improvement on security matters within many organisations including our own. Viatel Technology Group recently extended our ISO 27001 certifications (the internationally recognised standard for Information Security) which now cover our managed service business and data centres.nnOne of our in-house ISO experts, Alex Lowry, explains how embedded ISO 27001 is in our thought process: “Anything that we’re doing across the organisation, across every department, the ISO 27001 framework is first and foremost in all decision making. It’s embedded in all policies and processes and that way it’s reinforcing that we’re doing the right thing at every step.”

 

We follow the NIST framework for our internal IT and cyber resilience. We benchmark our customer IT environments using CIS controls and we follow OWASP guidelines for our own software development. On top of this we are also in a regulated industry, reporting to ComReg, the Communications Regulator.

 

Regulatory requirements are only going to grow. NIS2 looms large on the horizon. EU Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive by October 2024. Our classification as a large organisation in a critically important sector means that NIS 2 is already a daily consideration. We embrace the classification – with thousands on businesses operating on our comms and digital services, we fully understand how damaging a compromise would be. nn4. Resilience recognises the ongoing process

The bad news, in some respects, is that resilience is a never-ending journey. Spoiler alert: neither is security. There is no silver bullet that removes all risk or iron clads all systems. In my time as CTO at Viatel Technology Group, we have been working on our own cyber resilience programme and strive to make continuous improvements. We have implemented many big projects, such as segmenting our corporate network and re-writing and deprecating old applications, to many smaller activities that have a big impact over time, such as establishing a Security Change Management Board that meets once a week to discuss and approve changes in our network, IT or systems.n

We have also identified global partners that deliver solutions we (and our customers) require. Adopting ArmorPoint’s solution in our own organisation gave us the visibility we needed to ‘Detect’. With ArmorPoint, that PDF attachment sent from ‘Paul Rellis’ (our CEO) is scanned and investigated to ensure that our users and environment remain protected – no matter how convincing the approach is.

 

n

n

5. Resilience removes the stigma

 

Recognising cyber attacks as highly likely, or even as inevitable, removes the stigma of speaking about them. Companies can be reluctant to report incidents. Businesses are almost always slow to share their experiences with fellow companies. All of which prevents information sharing and support. Which in turn impedes planning. Various surveys show Irish ransomware victims are twice as likely to pay the ransom as their European counterparts. This remains true even when paying up is against company policy and even when they know it’s contrary to government advice. Surely, this figure would fall if ransomware victims were more emboldened to speak out and seek advice in the moment?

 

This is why we are building a support network for our customers. We know this is an area of immense challenge. It’s not easy for us and we’re a technology company with teams of engineers. A degree in physics doesn’t make me less daunted when faced with 200 questions in a cyber insurance form. I feel for other business facing the challenge without a technical background and we are here to help. We don’t promise a silver bullet solution. But we do promise to partner with you.

 

Eilish O’Connor is Chief Technology Officer and General Manager of Digital Services at Viatel Technology Group. Eilish will join a panel of experts to discuss ’How to build cyber resilience against chronic threats and respond to cyber breaches’ at the Cyber Security Summit in Croke Park on Thursday 19 October. You can find out about Viatel Managed Security on Viatel.com/security or email hello@viatel.com at any time.

 

n

n