Guest-blog: Simon Rycroft discusses the importance of basic cyber security hygiene and the 5 inalienable truths

Simon Rycroft

In today’s ever-changing threat landscape, it is more important than ever to use a cyber hygiene routine to help prevent hackers, intelligent malware, and advanced viruses from accessing and corrupting your company’s data.

Cyberattacks are growing in both frequency and impact. The repercussions of security mistakes often end up being headline news and can cause significant harm to the victim organisation.

However, there is a perception that only big, global, corporations are at risk and, as a result, thousands of attacks against the Small-Medium business sector go largely unreported. Most successful attacks leverage well-known security problems.

Reporting from the UK Government’s CESG (the part of GCHQ tasked with protecting the nation) indicates that around 80% of cyber attacks4 are the result of poor cyber habits within the victim organisations. To address this, a cyber hygiene strategy should be implemented which emphasises the importance of carrying out regular, low impact security measures.

James Comey – Former Director of the Federal Bureau of Investigation once said ‘We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.’

This will minimise the risks of becoming a victim of a cyberattack or spreading the impact of a cyberattack to other organisations. In this context, cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organisation will be simple daily routines, good behaviours and occasional check-ups to make sure the organisations online health is in optimum condition.

Today I have the distinct pleasure of introducing another Guest Blogger, Simon Rycroft, who is the CEO and CoFounder of CRMG (Cyber Risk Management Group), an expert company in the field of providing cybersecurity and information risk consultancy services.

Simon is passionate about cybersecurity, his career spans over 23 years. Most recently Simon held leadership roles at the Information Security Forum (ISF) as Head of Consulting and Global Account Director. In particular, Simon played a leading role in growing the ISF’s Consultancy business, steering it from its inception to become a multiple award-winning cybersecurity practice. Simon’s expertise spans both subject matter and operational management. Core areas of specialism include cyber risk management and assessment, information security governance and benchmarking.

Simon is going to talk to us across the importance of basic cybersecurity hygiene and the 5 inalienable truths

At CRMG we don’t have an aversion to the array of highly impressive products and services that compete for the modern CISO’s budget. As an example, the role that artificial intelligence (AI) can play in speeding up an organisation’s targeted response to a new breach is exciting. Where once a team of analysts might scramble to understand the implications of a piece of malware found on the corporate network – and err on the cautious side when deciding whether to advise pulling the plug on critical business systems – increasingly sophisticated tools can now instantly determine (and execute) exactly what containment measures are needed without bringing the organisation’s operations to a screeching halt.

However, irrespective of the pace of technological advances that increase our firepower in combatting the cyber threat, there remain a number of inalienable truths that mean we can’t ignore the importance of ‘basic cybersecurity hygiene’. Here are ‘5 truths’ that explain the point.

Truth #1: Don’t forget it’s still all about the information

There’s a reason why those of us who’ve been kicking about for a while in the cybersecurity industry used to call it ‘information security’. ‘Cybersecurity’ is no more than ‘information security’ on the steroid we know as the Internet.

Just because the Internet introduced new threats, attack surfaces, and accelerated the ability of nefarious entities (individual, corporate or nation-state) to cause untold mayhem, the underlying principle hasn’t changed. IT’S STILL ALL ABOUT THE INFORMATION.

Since the dawn of mankind, information has accrued value for its owner. Information is a competitive advantage. Information is intelligence about our customers that enables us to sell services to them without incurring undue risk. Information is the blueprint for the self-driving car that can tell the difference between an elderly lady about to cross the road and a traffic bollard.

Information is the finer detail of the due diligence activity on which our next investment round is predicated. Information is a commodity no less valuable than hard currency, and in many cases, it’s way more valuable.

Truth #2: Not all information is created equal

Assuming you accept Truth #1, it follows that it’s only worth getting out of bed to protect the information that you’re really bothered about. If you have no means by which you can value the information on which your organisation thrives (assuming you don’t have an infinite information protection budget), you might as well pack up and go home.

The information you’re really bothered about is entirely a subjective matter of course. That’s why purchasing off the shelf cyber products and services – without understanding whether you’re genuinely focusing on what matters – runs the risk of being the equivalent of buying up the entire stock of Fortnum’s ground floor on 22 December just because the in-laws are popping round for a mince pie and a sherry on Christmas Eve.

Truth #3: Sometimes what YOU think doesn’t matter

Sometimes, the decisions you make as to whether it’s worth protecting (or not) the information your business holds might just not be up to you. Something as simple as building a database of phone numbers and e-mail addresses of those you think might be interested in your services will, of course, incur the wrath of regulatory bodies if said database doesn’t meet the requirements of data protection regulations.

Depending on your native industry and target market, you may be subject to regulatory requirements that are completely beyond your control, irrespective of the information you hold or the value you attach to it. And more often than not, these regulations will require baseline information security measures to be in place. No ifs, no buts. That’s the nature of compliance.

Truth #4: Information has a nasty habit of seeping all over the place

Think of information as water that trickles throughout the arterial canals and rivulets of your organisation. Well channelled and protected, it enables the business to thrive. Leave a sluice gate open inadvertently and – to mix metaphors – you’re toast.

Pinning down exactly where information resides, and protecting it only in the locations in which you THINK it SHOULD reside, is a very tricky business. Even more so when you take today’s complex ecosystems of supplier relationships into account – introducing the possibility that your network of arterial canals and rivulets extends into places way beyond your control.

If you fail to apply a baseline level of protection throughout the entirety of your organisation (and its sphere of influence), you’ll run a significant risk that information seeps out via channels you just didn’t envisage and didn’t protect.

Moving on to another analogy, ghosts really DO exist in the information world. Even if you think you’ve disposed of information at the end of its useful life, the chances are that traces of it will still exist in multiple locations throughout the organisation. How can you be completely sure that staff haven’t created copies of information that you just don’t know about, and that these copies still don’t exist? Without the consistent implementation of baseline information security practices throughout the entirety of your organisation, you’ll likely be exposed.

Truth #5: The Robots ain’t taking over any time soon

The cyber workforce is still some way off. While AI is showing massive potential in all sorts of contexts, the human being as the ultimate decision-maker in our businesses isn’t going anywhere fast. For the most part, this is reassuring, not least because most of us aren’t likely to be put out to pasture just yet by a new workforce of indefatigable, infallible robo-colleagues.

The implication? Fallibility. Glorious, old-fashioned, human nature. Business decision-making tempered by human conscience. All good, until someone makes a glorious old-fashioned mistake, at which point you might wish that a robot had been in charge.

Did that procurement manager really mean to share a dump of the entire customer database with that unvetted supplier? Ouch. The point here is that, along with information, PEOPLE still represent most organisations’ greatest asset. The problem is that, on the flip side, people also represent most organisations’ greatest weakness.

Given that we’re not yet able to implant chips behind the ears of employees to regulate reckless decision-making, we come back to the importance of basic security awareness.

The articulation of meaningful, responsibility-riddled messages that resonate with staff, resulting in people refraining from doing bad things. It’s not rocket science, but it’s not easy either.

As your business matures you will inevitably turn to technologies to assist you in keeping your information safe and away from prying eyes. Data Loss Prevention (DLP) technology is a great example. Well implemented, DLP can prove a great asset in preventing important information from filtering outside the organisation without you knowing about it.

BUT – unless such solutions are supported by a consistent foundation of straightforward, well-understood, information security good practices – you’re taking a huge risk. This is why no CISO can afford to ignore basic cybersecurity hygiene. And if this argument doesn’t persuade you, your regulators most probably will.

So, what specifically are we referring to when we talk about basic cybersecurity hygiene? Here are just some baseline good practices. Just to add context, they are related back to the 5 truths:

Truth #1 (Don’t forget it’s still all about the information)

If you haven’t done so recently, embark on an information discovery exercise. At its simplest, this might start with a simple map of your key business processes and information systems that support them. Don’t forget to explore instances where information is shared between systems/functions and – just as importantly – to identify where information is shared outside the organisation.

This activity doesn’t have to be sophisticated (at least at first). You just need to come away from it with a high level of confidence that you understand what information lives in your organisation, where it lives, and who interacts with it.

As a tip, it can be really useful to run this exercise as a workshop that includes both technical and business people (or a series of workshops if your organisation is large or dispersed).

You’ll be surprised at what can get unearthed… did you have any inkling that Mervyn in Accounts routinely does a monthly .csv export of all employee data and shares it with your outsourced benefits management provider via a cloud drive that goes nowhere near your protected corporate network?

Truth #2 (not all information is created equal)

Once you have your basic map of what information lives where in your organisation, it’s a good idea to have a crack at valuing it in some way. This might be as simple as identifying what information your business can’t function without.

By implication, everything else will be slightly less important. Once you understand the relative value of different information types or systems, you’ll then know where information protection efforts should be focused – because the realities of business economics tell us that in most cases it just isn’t possible to apply the same level of protection to absolutely everything throughout the organisation.

By the way, possibly without knowing it, by this stage, you’ll have worked through the first steps of a basic information risk assessment (but we’ll save that for another day).

Truth #3 (sometimes what YOU think doesn’t matter)

This is all about regulatory compliance. All sorts of businesses face all sorts of compliance requirements. The point here is that you must take the time to understand exactly which laws and regulations you’re required to comply with by virtue of your business activities and the information you hold.

While highly regulated sectors (such as Finance, Insurance and Healthcare) have been used to managing compliance requirements for many years, there’s a whole new generation of businesses that have only really been forced to start taking notice of compliance because of GDPR. Once you know what regulations you’re required to comply with, you’ll then need to understand EXACTLY what measures you’re required to have in place to comply with them.

If you don’t spend money on consultancy anywhere else, this is one area where it’s probably a good idea to call in an expert to help you.

Truth #4 (information has a nasty habit of seeping all over the place)

Notwithstanding any beefed-up protection you apply to your most important information, you still need to implement a baseline set of security measures throughout the entirety of the organisation. This includes things such as:

• Developing a straightforward information security policy that is accessible by every employee and which clearly states exactly what is required by staff to protect the information handled throughout the business
• Making sure that all employees are aware of their information security responsibilities (more on that below)
• Liaising with key suppliers/partners to ensure they are operating to a minimum, defined, information security standard
• Keeping all systems patched and up-to-date, and checking this routinely
• Ensuring all systems and end devices are installed with up-to-date anti-malware software
• Only providing staff with access to systems if they really need it (when you do provide access, make sure that access rights aren’t excessive – and don’t forget to revoke them once they’ve moved to a different function or left!)
• Encrypting particularly sensitive information (remember that even if personal data isn’t critical to your business’ success, you’re still required by law to apply strict controls when storing or handling it)
• Maintaining backups – and testing them periodically
• Implementing business continuity and disaster recovery procedures (even if they’re basic) that support ‘business as usual’ as far as possible in the event of an incident
• Working with a credible third party to undertake a periodic penetration test of your systems – and making sure any recommendations are applied
• Having specialist support available on speed dial if something does happen that you can’t manage yourself!

Truth #5 (the Robots ain’t taking over any time soon)

Good information security awareness is critical to any business these days, and you just can’t afford to skimp on it. So, think about the basic information security good practices you want ALL staff to be aware of, and come up with an engaging way of ramming the message home. Be creative. Incentivise. Draw a picture. Make a video. There’s a reason why those opting to attend a driver awareness course instead of getting slapped with extra points on their license get shown the horrific aftermath of traffic accidents.

Whatever approach you choose (and remember it doesn’t need to cost a fortune and it doesn’t have to be cast in stone… you can try different methods over time), just make sure you do it. And do it again.

Also, have a think about whether there are specific roles in the business that require an additional level of training – particularly those handling sensitive information.

Lastly, remember that people – just like information – have a habit of moving about. Don’t forget that when new people join, staff move to new roles in the business, or when they leave, you’ll need to have a clear process to make sure they’re getting the right security awareness training at the right time.

None of what is outlined above should be considered to be advanced if your organisation conducts its business using the Internet (and whose business doesn’t?). There’s plenty more you’ll need to do as your business matures. We haven’t even mentioned cybersecurity strategy, threat profiling, and so on….

If you choose to skip any of the basic hygiene measures outlined relative to Truths #3, #4 and #5, have a long hard think, because you might not have a business left to mature if you ignore them. Choose to ignore the guidance related to Truths #1 and #2, and you’ll have to protect everything to the highest level just to be sure – which in an extreme case might just amount to the same thing.

Thank you Simon, for your incredible insights on a terribly important subject, cybersecurity threats I fear will not be removed any time soon.

You can contact Simon Rycroft:
LinkedIn – profile
email – simon dot rycroft AT crmg DASH consult dot com (removing all the spaces)
web – www.crmg-consult.com

Why Ethical Leadership and Conduct Matters

I recently had a coffee and discussion with a leader in technology innovation, we were discussing why doing the right thing, morally and ethically, in leadership can be the right thing to do.

As the coronavirus COVID-19 has seeped its way more deeply across the world, many tech companies are asking employees to stay at home. And work, of course.

The case in the matter we were discussing was prompted by Microsoft and their CEO, Satya Nadella, in an act of intelligent goodwill, Microsoft will continue to pay employees. No, not a reduced rate, but their full regular pay.

Have you ever noticed how decisions are so much harder when you try to do the right thing and make an ethical decision, rather than focusing on what’s easiest or most practical? This is mainly because “the right thing” means different things to different people.

The world of business is full of ethical dilemmas, from where to direct scarce resources to serving the local community. Every leader will make ethical decisions, whether or not they acknowledge them at the time. But the decisions they do make can determine whether their leadership is based on an ethical framework or not.

Yet making ethical business decisions is increasingly important in today’s world. News of a leader’s questionable behaviour can spread around the globe in seconds, and bring down an entire organisation.

Employees who trust their immediate boss have higher job satisfaction, more commitment to the company, and feel they are treated more fairly in processes and decision making. Employees who trust their business leaders feel more committed to the company, feel the organisation supports them more, and feel that leaders fairly allocate resources, treat others well, and follow procedures transparently.

Trust works in different ways, depending on where you are in the organisation. For this reason, C-suite leaders should consider focusing on different elements of trust-building than managers closer to the bottom of the organisational hierarchy.

Humans are social creatures and both historic and current findings confirm that strong, supportive communities have higher survival rates, prosper better and enjoy more content and fulfilled lives. This is also true of business communities.

Leaders today are constantly in the spotlight and are often called upon to earn authority without control. Economic and social change demands leadership by consent rather than by control. What we perceive as good leadership tends to be created by leaders, followers, and the context and purpose of the organisation, thus it is a collective rather than individual responsibility.

Trust is a key ingredient of successful leadership. Trusted leaders are the guardians of the values of the organisation. Trust can release the energy of people and enlarge the human and intellectual capital of employees. In a trusting environment when we are committed to our shared purpose we play active roles both as leaders and as followers.
We talk a lot about trust these days because it tends to be a precious and scarce resource.

When we listen to the emerging needs of the workplace we step into the most relevant and useful roles and make relevant and valuable contributions both when leading and when following. Members of organisations who are sensitive to people’s reactions trust themselves and each other. They build and nurture trusting relationships and allow the future to emerge organically.

No heroic leader can resolve the complex challenges we face today. To address the important issues of our time we need a fundamental change of perspective. We need to start questioning many of our taken for granted assumptions about our business and social environments.

My business partner, Mark Herbert, recently shared The Edelman Trust Barometer with me and discussed the findings of the report, The report found that people are suspicious of change and innovation when they do not see the long-term benefits for all stakeholders. Fifty-four per cent of respondents believe that business growth or greed/money are the real impetuses behind innovation, and only 27% say that business innovates because of a desire to make the world a better place or improve people’s lives.

Leaders need to treat employees as adults, openly and honestly discuss the organisation’s challenges and take responsibility for their decisions and actions.

Leaders also need to listen more. The trouble is that most are unable to recognise, let alone change, the structural habits of attention in themselves and in their organisations to drive key factors such as trust. Learning to recognise our blind spots in any business culture requires a particular kind of deep personal and collective listening.

The benefits of connecting mind, heart and our senses are well documented both in scientific and popular publications. Integrating such practices into the organisational culture increase not only the level of wellbeing but also the levels of trust, honesty and openness of communication.

In spite of decades of discussions and research on ethical leadership, the available information is largely anecdotal and remain highly normative until very recently little has been done to systematically develop an ethical leadership construct necessary for testing theory about its origins and outcomes with business.

This has to be questioned, why boards, CSuite and senior managers have never questioned the moral and ethical standing of organisations, why corporate governance is only now an inclusion around the values and standing of the largest component in business, people.

It is particularly in times of corporate scandals and moral lapses that the broader public and interest groups in a corporation ask themselves the fundamental question, namely, who are corporate managers and are they ethical.

Being ethical is about playing fair, thinking about the welfare of others and thinking about the consequences of one’s actions. However, even if one grows up with a strong sense for good or bad, the bad behaviour of others can undermine his ethical sense as well.

Ethical leaders think about long-term consequences, drawbacks and benefits of their decisions. For the sake of being true to their own values and beliefs, they are prepared to compete in a different battle on the market, where the imperative is: Do what is right.

Leaders serve as role models for their followers and demonstrate the behavioural boundaries set within an organisation. The appropriate and desired behaviour is enhanced through culture and socialisation process of the newcomers. Employees learn about values from watching leaders in action. The more the leader “walks the talk”, by translating internalized values into action, the higher level of trust and respect he generates from followers.

When leaders are prepared to make personal sacrifices for followers or the company in general for the sake of acting in accordance with their values, the employees are more willing to do the same.

Unethical behaviour by business damages not only a company’s health but also public virtues. Reputational capital is difficult to repair once it has been damaged.

One of the reasons why many corporates that still behave badly, with leaders that don’t take ethics seriously, is that sometimes shareholders and boards place singular emphasis on competence and quantitative results at the expense of good behaviour. There are leaders who are competent technically, who get the job done, and show good quantitative results, yet are found wanting when it comes to ethics.

The rise of ethical leadership can be traced back to the scandals inside the corporate world in recent decades. The fall of big organisations such as Enron and the Lehman Brothers has partly been blamed for unethical behaviour and therefore, there’s been a call for more ethical leadership to appear.

Ethical leadership is considered to be one solution for creating a balance between the wellbeing of the subordinates and the wider community, and the organisation’s profitability. The theory understands the importance of trust and good relationships. In essence, modern ethical leadership theory places importance on the idea of service.

Ethical leadership often takes the form of three separate approaches to leadership. The three have historical and philosophical foundations and all three emphasise different aspects of decision-making.

The first approach is Utilitarianism Theory, which sees the leader maximizing the welfare of the subordinates. The focus is on ensuring the subordinates feel good and are happy, before deciding on an action.

The second approach focuses on the Libertarianism Theory. The leader is to protect the freedom of the individuals as the main concern. If an action or decision would restrain the subordinate’s freedom, then the leader would not proceed with the course of action.

The third approach is an approach to leadership emphasizing Immanuel Kant’s Ethical Theory of doing the right thing. The approach to decision-making is, therefore, looking at the proper means.

Moral and ethical actions come from understanding what are the rules and customs of the organisation and following these. The idea is that by understanding these common, agreed values, a leader can make the right decisions.

Final thought, ethical leadership should also be understood through the lens of its influence over other leadership theories. Being ethical is a core part of other leadership styles and a strong ethical foundation is required for styles such as transformational and charismatic leadership.
While the strong ethical outlook is required for these leadership theories, ethical leadership places the biggest emphasis on implementing ethical values to every aspect of leadership.

Can a company be successful and competitive on the market and at the same time ethical? Akers believes that market success and ethical conduct go hand in hand: “Ethics and competitiveness are inseparable. We compete as a society. No society anywhere will compete very long or successfully with people stabbing each other in the back; with people trying to steal from each other; with everything requiring notarized confirmation because you cannot trust the other fellow; with every little squabble ending in litigation; and with government writing reams of regulatory legislation, trying business hand and foot to keep it honest”

Pope Benedict XVI once said:

“To me, it really seems visible today that ethics is not something exterior to the economy, which, as a technical matter, could function on its own; rather, ethics is an interior principle of the economy itself, which cannot function if it does not take account of the human values of solidarity and reciprocal responsibility.”