Your Security Journey, more for less during the COVID 19 pandemic

Your Security Journey, more for less during the COVID 19 pandemic

Thank you to our Head of Client Development ADVENT IM, Derek Willins.

The Original Article on the ADVENT-IM site can be accesses by clicking on the Logo:

As we endure societal lockdown in an effort to control the spread of COVID-19, thoughts turn to imagining what will change when it’s beaten. I suspect that business continuity, business resilience and risk management will be high on most agendas for a while, alongside the financial restrictions that will decide what gets done and when. Supply chains will be overhauled, as will working from home policies, and mobile equipment. Digitisation will increase, as will automation and complexity. Quite what all the ‘new normals’ will be in two or three years is too hard to call, but it will look different from today.

There is one certainty though. Online crime will continue to grow. Criminal activity has stepped up during the crisis with sophisticated health and virus-oriented phishing and ransomware campaigns; as well as heartless physical attacks on ambulances, and thefts of hospital oxygen cannisters. Our enemies are merciless and cruel. Unified and better-constructed security defences have to be part of the inevitable reviews which will happen. However, I suspect the usual objections to change will centre around finance (specifically ROI) and, how do we get more from less. This latter issue I want to address.

Advent IM’s long held philosophy has always been, that holistic security (one-team, information, IT, physical) is more efficient and effective than unconnected silo’s, and that excellence can be achieved with modest budgets.  Underpinning this philosophy is that people and process are the master, and technology is the servant. All too often in the search for quick solutions, the lure of expensive technical security solutions (without good people and process around it), has usually failed to deliver on expectations. A more balanced approach of people and process with technical support is the strategy which brings affordable effectiveness. It was a pleasure therefore, to discover some data which supports Advent IM’s philosophy.

A few months ago, a new report* was published, which caught my eye.  It’s a document providing us with a view of the current state of Information Security including current risks and trends, organization structures, and budgets.

There is an analysis of the respondent’s security budgets (as a % of their IT spend) and their security maturity status (based on 0-4: 4 being optimal). Each respondent is then put into 4 quadrants. The two axes are, the (group average) budget, versus the (group average) security maturity.

Advent im security spend vs maturity

Conclusions from the report;

  1. There is absolutely no correlation between security spend and security maturity.
  2. There are high security spenders, but with a low security rating (B), and some low-spenders with a high security-mature (A).
  3. The A group with strong maturity and low expenditure, are spread across different industries, and represent about 11% of organisations in the sample.

At face value then, the report tells us that security maturity (excellence, resilience) can be achieved, without massively high investment (less than 7.2% of IT budget). Clearly these organisations have something to teach everyone. Sadly, the analysis stops short of identifying their common attributes.  However, there are some inferences that can be made.

The security maturity measure starts at 0 (Non-existent) to 4 (Optimised. i.e. business enabler). On average the sample scored 2.06. This puts them in the ‘Defined’ level which means they have defined security formal process, roles and responsibilities and its all communicated. So far so good.

The next level up (3) is where the A group are getting close to. This means they measure and test that process is working effectively, KPIs are set, some automation is used, and regular reviews and audits are conducted. In short, the A group ensure their way of working is effective and adjust as they go – and all done at below the average expenditure of 7.2% of the IT budget. In our experience, only people and process supported by the right technology, make this happen.

Our experience tells us that most organisational leaders are satisfied that their security operation is currently fit for their purpose. It’s also true that the same people want security to be a bigger part of their business culture, but rarely have a plan to make this happen.  However, the evidence is clear that more can be achieved with reduced expenditure, and that all organisations, however confident, should be constantly reviewing and testing what they do. Partly because threats are constantly changing, and partly because great security is an enabler of innovation and productivity.

The financial circumstances post COVID-19 will demand that operational improvements are made. More cloud, more automation, more devices, more data, more risk. Security by design and default, means that planning for a more affordable and more effective security function in a post COVID-19 world starts now.

*Source; Capgemini Information Security Benchmark 2019. Based on 105 companies in EU across 4 large Private channels (Utilities, Finance, Consumer, Manufacturing). CISO’s and CIO’s views.

Contact the ADVENT-IM team by clicking below:

SIA Comment on security staff as critical workers

SIA Comment on security staff as critical workers

26 March 2020

- this link opens in a new window

On Monday, 23 March the Prime Minister announced further instructions to the British public to combat the spread of Coronavirus (COVID-19). His announcement can be viewed here. It places further restrictions on when people can leave their homes and limits travel for work to essential roles only.

- this link opens in a new window

I am able to confirm that the current definition of critical worker DOES include regulated (licence holding) security professionals, essential to national infrastructure, operating in roles under the 8 broad headings listed. This status is only directly relevant to the ability to access the school and childcare systems at this time. This critical worker definition does not affect whether or not you can travel to work – if you are not a critical worker, you may still travel to work where this absolutely cannot be done from home.

To prioritise pressure on the schools system, it does NOT extend to all licence holders. It is role dependent. The list may change over time.

Government advice is to stay at home whenever possible. It is to keep your children at home whenever possible – even if you are a critical worker. If, and only if, you are undertaking an essential role, supporting the nation’s COVID-19 response, which you can only do by accessing the school or childcare systems, should you do so as a critical worker.

This definition covers, amongst other areas, security provision in hospitals; schools; social care; courts; government estate; supermarkets and the food supply chain; the transport network; national infrastructure and utilities. If you are providing essential security to a service which itself remains critical and functioning, which attracts critical worker status, then you are likely to be covered. If in doubt, check with whoever contracts for your services.

Roles essential to supporting law and order, with the potential to reduce demand on policing, also meet the critical worker definition. This would include, amongst other areas, the guarding of empty or closed commercial, retail or office premises; the monitoring of similar through CCTV or other remote means; and the provision of alarm response centres including mobile units.

If your role does not clearly fall under the headings above then you may still travel to work, if that work absolutely cannot be done from home. Your aim should be to stay at home whenever possible. If this is not viable then assess whether you can deliver more services remotely e.g. through CCTV. If a physical presence is required then you should seek to minimise the number of staff deployed to the lowest safe level and ensure social distancing is applied.

Note that in any circumstance, critical worker or otherwise, the Prime Minister has been very clear that ensuring social distancing remains the responsibility of the employer.

These are difficult questions in unprecedented times. They are not easy and no-one else can answer them for you. You will need to apply judgement, with the aim of minimising social contact where possible. The words to focus on are ‘necessary’, ‘critical’ and ‘essential’, otherwise please stay at home and minimise the transmission risks for the benefit of your health, your families, the general public and the NHS.

Ian Todd
Chief Executive

Please access the SIA Site Here:

Fake News isn’t new

Fake News isn’t new

Sun Tzu and the Art of Fake News

“That is #FakeNews” is one phrase that has rocketed to fame last year. President Trump’s legacy has already been left in Twitter land but why has it come to the fore, is it new and more importantly is it something that individuals or enterprise should be concerned about?  Philip Ingram MBE the editor of HQ Magazine takes a look at fake news, but with a 6th century twist.

There are elements of the press who seem to suggest that fake news is something new, it isn’t, and it has its roots back to the 6th century, but before I delve that far back I want to take a quick look to only 74 years ago. The Second World War shows just how important “fake news” was to the war effort; fake news, when targeted for an effect is also known as Propaganda. William Brooke Joyce, nicknamed Lord Haw-Haw, an American-born, Anglo-Irish Fascist who became the Nazi propaganda broadcaster to the United Kingdom during World War II was probably the most famous mouth of fake news, but the Japanese had English speaking female broadcasters who were nicknamed Tokyo Rose.  

The use of fake news or propaganda was not limited to the Germans or Japanese and arguably the greatest military success of the Second World War, D Day, was enabled by fake news through an operation called Operation Fortitude.  With this being linked to a military operation this is where I want to bring in 6th century teachings.

Sun Tzu the 6th century Chinese general, military strategist, and philosopher, arguably the greatest military tactician and strategic thinker ever, said in his book the Art of War, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” His teachings have stood the test of time!

Operation Fortitude was a massive deception operation conducted by the Allied Forces to lead the Germans to believe that they would be landing in Pas-de-Calais and Norway, masking the true invasion through Normandy. 

The aim was also to make them believe that the Normandy landings in May 1944 and in the south of France in June 1944 were mere diversions, so that the German army would concentrate its troops in the wrong place. The German authorities clung to their belief that the landing would occur in Pas-de-Calais right until September 1944.  Operation Fortitude held onto the principals set out so eloquently by Sun Tzu. The bluff worked but highlights how a country with extensive national intelligence assets looking at a situation unfolding, can be deceived. 

The Russian term маскировка (maskirovka) literally masking, was defined in the International Dictionary of Intelligence from 1990 as the Russian military intelligence (GRU) term for deception. Vladimir Putin would have “grown up” in an organisation where maskirovka was a normal part of everyday thinking.  At every level of my military training we studied maskirovka, so imagine my surprise when Robert Hannigan, the ex-director of the UK spy agency CGHQ, said of the Russian threat in an interview this year, ‘We didn’t see Russian use of disinformation coming‘.  It clearly demonstrates a naivety with the UK’s senior intelligence officials, charged with keeping our politicians abreast of the threat to that which underpins our way of life, democracy.  

This failure highlights that those self-same senior intelligence officials have forgotten one of Sun Tzu’s most famous quotes. “If you know your enemies and know yourself, you will not be imperilled in a hundred battles; … if you do not know your enemies nor yourself, you will be imperilled in every single battle.”

Should we be worried? Well in my professional opinion, I think we should be extremely worried.  This is not just something targeted country on country, it is being exploited by terrorists and so-called ISIS are masters at it, it is being exploited to gain commercial advantage especially when rumours can be generated in the money markets, huge sums can be gained, or lost.

In May last year many respected media outlets reported concerns by the US Securities and Exchange Commission (SEC) over false reporting.  The FT outlined that the regulators were concerned that fake news was affecting investment decisions and reported evidence that seemingly independent outlets were being paid to promote stories.  They reported the SEC as saying, “keep in mind that fraudsters may generate articles promoting a company’s stock to drive up the stock price and to profit at your expense.” 

Supporters of so called ISIS are very quick to post across their networks details and pictures from any attack, thereby taking de facto responsibility in the eyes of their supporters even before any official statements are released.  This has the effect of stimulating potential copycat or other attacks as well as giving “oxygen” to their terror message, to paraphrase Margaret Thatcher. The manipulation of media messaging is extensively used by todays terror organisations.

The one factor that enables fake news to have such a rapid impact today is control, or lack of it.  Operation Fortitude was a carefully orchestrated national plan controlled at the highest levels, so all messaging was coherent and worked to a common aim. Today, fake news can be delivered to millions of people at the click of a button via social media and the average person in the street can send a message that the President of the US may read personally, without it going through his normal staffing and advisory chain.  The power of social media is phenomenal.

The Russians continue to use maskirovka as part of their global engagement techniques. We are already seeing proof of their involvement in the US elections and likely in the UK Brexit referendum and more.  Sun Tzu highlighted how this works when he said, “Speed is the essence of war. Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.”  Remember, Robert Hannigan said he didn’t see it coming and those unexpected routes were Facebook, Twitter, big data manipulation, main stream press and good old fashioned human influence, powered by the internet.

Arguably Kim Jong Un from North Korea knows how to play President Trump using Sun Tzu.  As the 6thcentury tactician said, “If your opponent is temperamental, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. Attack him where he is unprepared, appear where you are not expected.” It is this last line that is keeping the world’s breath held.  Kim Jong Un’s understanding of President Trump’s temperament is clearly excellent when he applies Sun Tzu’s principal, “If your opponent is of choleric temperament, seek to irritate him.” Trump gets irritated easily by ‘Rocket Man.’

With the ease of spread of fake news and its ability to influence, it is something that enterprise should be concerned about.  The instability caused by state on state activity is one thing but there is clear evidence of state on enterprise actions in cyberspace with the theft of IP. Fake news is another cyber enabled activity and the potential for enterprise on enterprise use of fake news is growing.  

As an intelligence officer looking at a threat you ask 2 questions.  The first, does the capability exist and the answer is yes.  The second, is there intent to use it, and again the proof is that the answer is yes. Now is the time for risk managers in companies to ensure the impact of Fake News is something they plan for, remember it is a cyber enabled threat.

In one of Sun Tzu’s opening statements he said, “If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him.” The time has come for preparedness as you cannot evade this threat.