12 June 2018

Information – The Final Frontier of Cybersecurity

Jani Antikainen

Typically, information can be stolen without much impact to operations. In some cases, access to information may be denied, causing temporary harm until backups can be restored. Compromising information integrity, its trustworthiness, however can have far more devastating operational effects as it might cause an organization to make decisions based upon bad information or reduce customer trust in their platform or business. Imagine the impact if there is even a suspicion that business critical information might not be all correct. The manufacturing blueprints could have an intentional error, invoices might have wrong account numbers in them, financial statements affecting stock prices might have faulty numbers. And for all this, it might not be possible to know when exactly the manipulation started. Soon the lack of trust will drive all operations to a grinding a halt.

Or it could get even sneakier. See, information is the key resource for processes. Processes make up operations, which in turn form the business itself. By subtle, unnoticed, manipulation of information, it is possible to manipulate the processes to serve the manipulators purposes. In effect, changing where the business is going. This is what happened with the Carbanak APT and the SWIFT banking hacks. This would cause a headache far larger than a data breach to a Privacy Officer overseeing GDPR. And this is what Admiral Rogers has already warned us about.

At the core of information manipulation is understanding of the role of information at process level. Case in point is the alleged Russian tampering in the 2016 presidential election. Information used as a basis for candidate selection by American voters, is suspected to be heavily influenced by parties with ties to Russian state actors. By manipulating the information, the whole process of democratic voting suffers from severe integrity and trust issues.

In the world of business, cyber criminals have been recruiting business process experts. And they probably aren’t doing it to pass quality certifications or tax audits. To keep up, traditionally technology-oriented security specialists should also start looking in the direction of business. To thwart such an advanced threat, security should be an integral part of the business processes themselves. Not just something that is added as an additional shell, or even worse, a band aid.

But how do you maintain security in business processes? It all begins by understanding the information assets that form the basis for critical processes. These are the assets that, if manipulated, can change the process’ outcome. Understanding of these assets formulation and behaviour is also to be formed. This can in turn be translated into rules and conditions, on which information can be deemed to really be trustworthy. This is what is essentially being done when teaching fact-checking to limit the impact of rumours and fake news on social media. And as in this example, creating such rules often is simply a question of common sense. In a business context, all the information needed to formulate these rules most often already exists in numerous process descriptions and in the heads of business process experts.

The key to effective protection however lies in putting this information in the form of controls and putting them into effect. Making policies is easy but maintaining an up to date understanding on their implementation is more difficult. It’s about talking the talk and walking the walk. A primary factor needed to make this happen is visibility. Visibility into the implementation of the controls is required to ensure true protection from manipulation. To make things a bit more complicated, a single process requires several parallel controls to be sufficiently protected. Maintaining such controls by manual labour or system-specific solutions takes a lot of effort. Distributing the work to different individuals and systems also effectively blocks the required visibility.

Up to now, information security technology has been focused on protecting technology. In front of these new types of threats, technology should evolve to also protect the business itself. This means new type of innovative technologies, capable of tapping into multiple information sources, and maintaining cross-system rules based on understanding of information throughout its life-cycle in the business context. A few brave ones have already started implementing such futuristic solutions. As cyber attackers further exploit your business processes, it is inevitable that other companies will take a process and controls based approach to security.

Jani Antikainen co-authors on this piece were

No comments: