It’s often said that all politics is local. It seems that all cyber security is, too.
Matt Palmer, Director of CERT.JE (the Cyber Security Centre for Jersey) explains why we need to work together as an island in order to understand the reality of cyber threats.
Of course we all know the threat is global. But we look at the world through a local context. And so the top question I’m asked is the one question that usually isn’t very important: “Has it happened here?”
Understanding that cyber threats are real when you think you have not yet been impacted is hard. And those who are affected are often less than keen to share.
If someone’s house catches fire, we all see it. If someone has a cyber attack, we often don’t. There was a day the other week when compromised computers belonging to Jersey organisations and residents participated in malicious attacks on the United States, Germany and Hungary, but it’s hard for organisations to see how that could be caused by a quick decision to, for example, delay implementing two factor authentication for a web portal or to keep operating that legacy system for a couple more months.
Speaking with the Jersey Chamber of Commerce’s digital committee, I was asked a different question: “Why are we not where we need to be on cyber security?”. There are a number of reasons, but one reason is that without these regular shared examples of bad things happening on our doorstep, the relevance of cyber risk locally can be hard for us to appreciate.
As a result, over the last few months some of the responses I have had to security incidents or advice have included:
- Not being willing to share an incident because the company doesn’t want to open themselves up to criticism from their competitors – exactly the same reason their competitor in an office down the road gave for not sharing theirs a few weeks earlier.
- Not implementing a control improvement before the incident because ‘it may happen all the time, but it hasn’t happened here’, then not being willing to implement the same improvement after an incident because ‘lightning doesn’t strike twice’.
- Not training staff because ‘our control is to hire trustworthy and competent people’ and ‘most of our staff had security training at their previous employers so it’s not really an issue for us’.
- Not implementing two factor authentication for externally accessible portals contrary to the organisation’s own policies, because ‘its not in Jersey, it’s in the cloud – so it’s not network and not our risk’.
- Responding to an increase in the geopolitical threat with ‘well we beat off the French several times, so I’m sure we can beat off the Russians’!
It takes an island to secure an island
Of course, I’ve also seen some many great examples of organisations taking these issues seriously and going above and beyond to make sure they, their staff and their customers are secure. But we do have an issue; it takes an island to secure an island, and as long as we don’t acknowledge that bad things can happen in Jersey, some organisations will struggle to understand that they need to take action. Those charged with security within those organisations will find it hard to get buy in and support.
The long term solution is to develop a culture where people feel confident sharing information on cyber attacks and (where it is responsible to do so) vulnerabilities. CERT.JE can play a role by being a trusted third party: we will advise, support, and forewarn, but we won’t share who something happened to in any way you can be identified – that’s your choice.
In the meantime, we need to help others understand that bad things do happen, that they happen here, and that they happen to us.
To address this issue, over the next few weeks CERT.JE will be publishing key stats from threat intelligence we handled in just one 24 hour period.
It’s a difficult balance because that means sharing some information on compromises that actually happened, as well as indicating those that could.
But if all cyber security is local, then all good cyber security begins at home.
Follow CERT.JE on LinkedIn, Twitter, Facebook or Instagram to find out more.
Main image from the Checkpoint Threat Map.