Month: November 2020

Less email filtering?

Cyber security is often thought of as a defensive exercise.   It is often thought in terms of preventing threats gaining access however in considering malicious emails I wonder whether there might be a slightly different way to think about it.

My concern is this;  If in our cyber defence we do a really good job and prevent malicious emails, such as the all too common phishing email getting through, then we could potentially create a work force who are unfamiliar with phishing emails.   Our defences may create a situation such than when a phishing email eventually does get through, and this is pretty much guaranteed, the recipients are ill prepared to identify it as malicious and respond to it accordingly.   Our defences create a more vulnerable user base. I also would suggest that an expectation of 100% successful filtering if naïve; Our filtering solutions are simply not that good combined with the fact cyber criminals are constantly adjusting their approach to bypass common filtering solutions and approaches.

Now to be clear, I am not proposing no defence against malicious emails.   What I am suggesting is that having filtering which is at least slightly porous, allowing some malicious emails through may be preferable in developing users who are more aware.

I suspect some may argue that awareness is developed by training and awareness campaigns, etc, however I would suggest that these are all proxies for exposure to the real thing, and for learning to deal with the real thing. Again, I am not saying that we shouldnt have any awareness training, in fact I am a firm believe in the critical importance of awareness training, I am simply suggesting that training is not as effective as real life events.

The challenge with the above is the level of porosity.   As I suggest, not porous enough and the user base may be ill prepared however equally defences which are overly porous will simply expose users to a great volume of risk through a greater volume of malicious emails.   Once again the challenge relates to achieving balance and to managing risk.

GDPR; 2 Years on

Back in 2017 I wrote a post for UkEdChat in relation to GDPR (See the post here), prior to the introduction of the GDPR regulations in May 2018.   It is just over 3 years since that post, and almost 2 ½ years since GDPR came into force so I thought it would be a good time to revisit the post and share some of the things I have learned in relation to data protection and GDPR since then.

Subject Access Request

One of the key things I expected when I wrote my post in 2017 was a significant increase in Subject Access Requests.   For me this never really materialised.    What did materialise however, for the limited number of SARs received, was a more difficult and time-consuming process in trying to fully respond to requests.    Thankfully new tools such as the eDiscovery tools in Office 365 made this reasonably easy and convenient from an IT point of view but this didn’t alleviate the administrative challenges around the need to review and also redact data from that identified by the eDiscovery tool.

Evidencing compliance

One of the key things I have learned in relation to GDPR is the importance of evidencing compliance with the regulations.   Things will not always go to plan and when they don’t there is a need to prove that you have done all that is reasonably possible.   This means documenting processes, documenting incidents, even minor ones, and documenting discussions regarding the perceived risks and mitigation measures including the mitigation measures which have not been applied due to cost or operational impact.   You need to be able to prove that you have fully engaged with the legislation and made every reasonable attempt to comply.

Interpreting the rules

It is clear that the GDPR rules are not as clear as some people, and especially those selling GDPR goods and services, would make out;   There is a need for interpretation within the context of your own school and any such interpretation needs to be documented.    There is also an opportunity here to reach out to other schools similar to yours to see how they have dealt with certain situations, and how they have interpreted GDPR.   Again, a key issue is the need to document any decisions or conclusions reached in your interpretation of GDPR.

Third Party Management

I mentioned Third Party management in my 2017 post and I believe my concerns have been proven.   Third parties have shown themselves to be a source of cyber risk, with cyber criminals breaching third parties and then moving laterally into an associated school or other organisation.    Third parties have also shown themselves as a risk where they themselves are used to process or store your school data as a breach of the third party storing your data is your responsibility; you are the data controller.     The key here is the need for due diligence and a privacy impact assessment before engaging with a third party, plus the routine review of these assessments and of third parties’ approach to data protection and to cyber security.   We cant truly control the third parties we engage or the criminals who may seek to breach them, but we can try and ensure they are as prepared as possible, and can ensure we can evidence that we have taken all reasonable measures should something go wrong.

Risk Management

This is my biggest learning point from the last 3 years, since my post in 2017.     There are no 100% answers when it comes to cyber security and data protection.    It is all about managing risk.   Every action we take in terms of the setup of a system, the processes we use, the third parties, etc, all involve a business benefit or gain but also a risk.   Nothing is without risk.    As such we need to constantly be reviewing the risk and deciding what risk is acceptable and what is not.   We need to examine the available mitigation measures and decide which will be implemented and which we will not implement with this often due to potential operational efficiency loses or simply down to cost.   Above all, we need to document these considerations and the resulting decisions.

Conclusion

I am not sure GDPR changed things as much as I thought it might however it definitely did provide an opportunity to re-examine processes, systems, etc with a view to keeping data safe and secure.  This also provided a key opportunity to develop the all-important documentation in relation to processes and systems.    I think in 2017 I looked at GDPR as a piece of legislation and an end point in ensuring readiness for May 2018.    Looking back, I now see GDPR as more of an ongoing process which will never end.   GDPR is about ensuring we are doing all that is reasonably possible to safeguard the data trusted to our possession.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.