It is 8 o’clock and you should have already gone home, but here you are, reading a security blog. You have missed bedtime, disrupted dinner … you are a bad parent, a poor partner, an irresponsible cat-owner … whichever.
You have an important role and there is a lot to worry about: a major ERP project that is drifting out of control, the expectation that you will deliver business analytics off the back of a data estate that is in bad need of being sorted out, the constant risk of losing your key digital talent, cyber intrusions and data breaches, a soaring cloud compute bill, the list goes on. You are responsible for a large part of your Board’s risk register – most of it amber, quite a bit red – not least security.
The very last thing you need is more things to worry about … and yet here we are: 10 MORE risks.
Supply chain vulnerability. Your supply chains are becoming ever more complex. Not simply the supply chains that relate to your organisation’s products, or the services that you provide, but also the supply chains that underpin your capabilities: core IT, logistics, estate, facilities, energy, the list goes on. Furthermore, these supply chains are bound to yours digitally. It is almost impossible to map the dependencies and the resultant vulnerability they introduce.
Geopolitics of technology. You operate a global business, with distributed supply and customer bases. Increasingly however, you are exposed to the geopolitics of technology: where is your data, where do your key suppliers operate from, what standards do you adhere to and who is making them? Sanctions, technology embargoes and dual-use risks increasingly impinge on your choices and drive up your risk.
Disrupted data economy. Data confers business advantage, and building a data position is increasingly the goal of most businesses. Large platforms harvest significant data by a range of means that exploit asymmetries in knowledge, and gatekeeper positions in important networks. There is, however, a growing reaction – regulatory and technological. This includes privacy tech and new architectural models. Data dominance may no longer be a sustainable business strategy.
Changing adversaries. Hitherto the principal cyber-security adversaries have been foolishness – the unencrypted data stick, spreadsheet mailed to a home address, a click on a phishing email, test data exposed on a dev site – and low-grade criminality with a side-helping of maliciousness. There is however a fast-growing risk from high-end adversaries (nation-state or state-supported). Private businesses, aside from being wealthy targets, are increasingly recognised as critical to national resilience and security, broadly construed. You are an explicit target, or potential victims of the spill-over effect of tech you have in common with other targets.
Technological fragility. Your increasing use of AI and ML is driving business advantage but it is fragile. Small errors in training or exposure to adversarial input can result in problems that are very difficult to observe and impossible to unpick. The more you drive these systems into business-critical functions the higher the risk.
Social engineering. Exploiting weaknesses in employees through social engineering is a fundamental vector of security risk and straightforward scamming, from tailgating at an entrance to responding to a ‘friendly’ approach that is anything but. Whilst this might appear to be old news, the combination of much improved behavioural insight and enhanced target intelligence obtained from social media has led to a fused social engineering and technical threat.
Technical tradecraft. Whilst increasing attention is paid to information technology and even to the ‘edge’ – sensing, embedded systems, connected equipment and so on – the threat of technical intelligence, gathered through audio, video, electromagnetic environment and other modalities is, in many organisations, a blind spot. These vulnerabilities have increased with widely available, high spec, low-cost devices.
Open source exposure. Many organisations have placed open source components in the core of their infrastructure, either deliberately, or integrated within other systems. The benefits for security of a code base that is open to scrutiny are well established. Many of the contributors to that code are however, unknown and their motivations not explicit. The ability to scrutinise code does not always mean that the system has actually been the subject of scrutiny.
Security infrastructure. A more rigorous approach to trust, access and identity is increasingly the hallmark of many organisations adopting an uprated approach to their security. This makes sense, but this new infrastructure presents an important opportunity to a capable adversary. Compromising this layer of organisational protection provides a powerful means of undermining the entire security posture of that organisation.
Knowledge gaps. With the growing complexity of security and the rapid concurrent changes in technology, targets and threats, the ability to stay on top of the risks is beyond all but the most capable of organisations. It is possible to outsource these risks to a consultant or a vendor to a limited extent, but security is bound into the texture of the business and its operational model, and it is difficult to externalise this aspect of risk. Thus closing the knowledge gap is critical.
So, go home. You need the rest. GALLOS is thinking about all of this, and more.
Author : Professor Sir Anthony Finkelstein
Cyber Threats, Complexity and Rainforests
The nation of Costa Rica is famous for its biodiversity and lush rain forests. In the past month it has…
By clicking accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. However, you may manage your Cookie Settings to provide a controlled consent.
The information on our site is only directed at professional clients and eligible counterparties and the services or investments referred to on our site are only available to professional clients and eligible counterparties. Retail clients should not rely on the information herein. If you have any doubts about your status you must not access our site.
Risks are inherent to investments and engaging in any investment activity may expose you to a significant risk of losing all of the property or other assets invested.
By clicking “ACCEPT” you have confirmed that you have read, understood and agreed to the legal terms and conditions of this website. You also: (i) Agree that such information will apply to any subsequent access to this website by you, and that all such subsequent access will be subject to the disclaimers, risk warnings and other information set out herein; and (ii) Warrant that no other person will access this website from the same computer and logon as you are currently using.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.