British Airways (BA) made headlines recently when it announced that the credit card details of ~380,000 customers were stolen in an attack on its website and app. The company’s share price dropped 2% and the event was a reminder that no organisation, regardless of size or sophistication, is immune to such attacks. Cybersecurity has a high profile. But what is it? The Badger playfully asked friends recently. Many said that it’s anti-virus software, firewalls, encryption, two-factor authentication, software patches, and so on. The Badger, however, learned some years back that it’s much more than this.
The Badger once oversaw a company security department and was tasked to expand the profile and impact of its activities. The department’s staff were expert, hardworking and very professional but they were seen as administrators by others. The Badger learned lots very quickly. Especially that cybersecurity is really the convergence of people, governance, processes and technology into a multi-layered framework to protect an organisation, people, networks and business systems from malicious digital attacks.
The Badger and the department staff set about improving and communicating such a layered framework to have a bigger impact. Anti-virus, firewalls, encryption, passwords and two-factor authentication, and routine software patching were just part of this holistic bigger picture. Progress was helped by executive realisation that new privacy laws were on their way (e.g. GDPR), and that they needed to have good overall security governance, incident, public relations and media management in place to address stakeholder and customer anxieties. Executives had learned from some very public mishandlings of events by other companies! All suggested improvements were approved and fully implemented. Similar things happened in other organisations industry-wide, and today Chief Security or Chief Information Security Officers (CSO/CISO) are the focal points for overall security governance, policies, processes, and practices, including threat detection and defensive measures.
BA seem to have handled the public aspects of their event reasonably well, which implies robustness in their overall security and incident handling framework. However, one thing’s certain. More of such attacks are inevitable. Why? Because people, often very innovative and creative ones, are involved in this delinquency. The Badger learned lots from overseeing a security department. The department lead, a person with decades of security experience, insisted that ‘People are always the weakest link in security’ and the Badger saw this proved many times. Even the most up-standing people can resort to maliciousness or criminality and become a threat when impacted by adverse life, personal or work events.
So, if you’ve read this far then just remember that firewalls, virus software, encryption and so on have their place, but when it comes to real security, you are the weakest link!