Wednesday, 2 October 2013

Bromance, space rockets and understanding your threats

OK, I admit it - I have a bit of a bromance brewing.

No Z-list celebrity or puerile X-Factor wannabe for me however. My target of admiration is a self-made billionaire and big thinker, he is CEO of Tesla  Motors (making electric cars) and also CEO of probably the coolest company on the planet, SpaceX (making rockets - yes, rockets). Oh, and did I mention that he’s also the real-life model for Tony Stark, aka Ironman?

Step forward, Elon Musk.

OK, maybe I have a bit of a problem - but what has this got to do with information security? Give me a second and I’ll get there.

I recently caught up with an interview Elon gave at a TED event earlier this year.  Around 14 minutes into the talk it was mentioned that SpaceX doesn’t patent anything on the rockets and spacecraft it makes, and then Elon caught my attention with this:

“Since our primary competitors are national governments, the enforceability of patents is questionable.”

And that made me think.

It made me think that Elon really understands the threats to his businesses - and from there it was only a short jump to my next thought - that many of my clients (small to medium sized businesses) don’t. And that is a fundamental issue.

Let’s step back a bit.

When you lock your door at night, why do you do it? Might you be murdered in your beds? Someone covets your TV? Or is it that you are sick and tired of your neighbour stealing the milk? If you didn’t lock your door, what would happen? Think about it for a moment.

Elon Musk
OK, so depending on who you are and where you live, your answers might be different to someone else in a slightly different situation to you. What you have done, in information security parlance, is a kind of risk assessment - you have perceived a threat of some sort (you could be burgled, for example) to your assets (your TV maybe), worked out your weaknesses (they could get in via a door or window), and come up with a control (I need to have a good lock on my front door, and use it). There are some threats that we as human beings are really good at getting a handle on, and others we are really bad at understanding - but I might save that for a future blog.

So, let’s move to your office and start thinking in terms of your business assets. What do you have to protect? Depending on your business there might be the office space itself, your staff, your data. I’m generalising here, but basically the office can be covered with forms of insurance and your staff likewise as well as with Health and Safety processes. But what about your data?

So what do I mean by data? By data I mean your business’ information assets (and ‘data’ is a pretty horrible synonym, but we will stick with it as it’s short and sweet).  They are the key assets on paper or in a computer hard drive that - without them - your business would not be able to trade. Now every business is different - for you it might be your list of customers and what they’ve bought from you, it might be some very specialised intellectual property that you are about to wow the world with, it might be very sensitive client materials or it could be your secret plans for world domination. I’ve yet to come across a business, large or small, that have the same information assets - your information assets are pretty much a unique fingerprint of your business.

Tony Stark (aka Ironman), um, no, wait...
Many businesses, large and small, are starting to get a handle on some aspects of threats to their data - for example, most people understand they need to use anti-virus software on their computers, or that they need to make backups (you do, don’t you?). But for many, that’s as far as it goes. They don’t tend to really consider the threats they face every day.

OK, have a go yourself.  Make a quick list of the key threats you think that your data faces every day. I’m guessing that what I consider the number one threat won’t be on your list.

Now, I’m not dismissing what’s down on your lists - I’m sure they are very real threats and need to be dealt with somehow, but I’m betting there is one very real threat that you haven’t considered. Ready to hear what it is?

It’s you.

You are the greatest threat that your business faces - because (on the whole) you are not taking information security seriously enough. I don’t say that lightly, it’s just that small to medium sized businesses are very poor at understanding, let alone applying, information security processes to their data  (excluding most businesses that are related to the health profession - in the medical sector the issue of information security and information governance is very high profile).

Information security isn't about the IT (well, mostly) but instead about the processes and the procedures and the people. I’ve seen very well intentioned staff make such horrendous mistakes (while meaning well) that have very nearly resulted in large fines from the Information Commissioner’s Office. I’ve seen businesses started on the back of stolen customer data. Honestly, it’s not pretty.

Information security is, at heart, about putting in place well-understood processes and keeping tabs on them. It’s about training your staff appropriately. With respect to Elon, it’s not rocket science.  I’ve made it my personal mission to try to get businesses more aware of the threats they face and what they can do to better protect their data. It’s going to take a while.

And finally, back to the target of my bromance, Elon Musk, advocate of sending humans to another planet, with probably one of the coolest quotes of all time :

"It'd be pretty cool to die on Mars, just not on impact."

Now that’s thinking big.