Who's problem is Cyber Security?

An obscure, yet feasible question.  The mere phrase "Cyber Security" suggests that any IT security-related incident may eventually fall into the blame of IT department.  Then again, the somewhat relaxed attitude of what I would call a "Data Carrier" (someone with a USB stick with firm or client data on it for example) would suggest that this person may be to blame in certain scenarios.

What I am trying to get at is that the answer to the question, is everyone.  All parties can have an impact on most incidents.  I have detailed what I perceive the main aspects of Cyber Security to be below;

  • Application security
  • Information security
  • Network security
  • Disaster recovery / business continuity planning
  • End-user education
  • Social Engineering

In no particular order, this pretty sums up what we're looking at.  The efforts of Cyber Security need to involve the IT department as well as the business in order to better understand the situations and trends from both sides, and defend against attacks, or indeed mistakes.

Taking Application Security as an example; yes sure, the IT department can stop any unknown applications (downloaded or malicious .exe files etc.) from running on your work laptop, but what about that website that a Partner of the firm accesses to upload some firm documentation to?  This is where the control of Application Security is removed, and End-user Education comes in, also involving a trust of where the data is going/duplicated/backed-up..  Is the Partner aware of the potential issues?  How often should they be reminded?  How strict should the firm's document upload policy or controls be?

Looking at Network Security; this is usually only feasible when actually on your firm's network.  Prior to connecting to a VPN or Cloud desktop session, you're on your own on whichever network you are connected to (potentially dangerous public WiFi connections, which I'll look into in a later blog).

The key to all elements of Cyber Security for business users is awareness. IT teams need both awareness and understanding, but there does need to be that transparency between both sides in order to keep ahead of the bad guys.