Every business sets out to make money or provide a specific service. There is always a particular objective that the business entity wants to achieve. However, to achieve their mission, certain risks happen, and one of them is cyber risk.
As the Chief Security Office of Moniepoint, my responsibilities revolve around doing things that enable the business to innovate. My job is to ensure that, as much as possible, I reduce the risk of cyber-attacks. My goal is to reduce the risk of data breaches and anything that can happen to the organisation from a cyber perspective. It also ensures that the business can concentrate and achieve its objective.
Over time, the cyber practice mindset has changed. Initially, we concentrated on preventing hackers, financial fraud, etc. But we’ve come to understand and believe that these things will likely hop in no matter what you do. So, we now have a new mindset – cyber resilience.
Cyber resilience implies that business operations continue unabated even if you get hacked. So, assuming we get hacked today and are busy running around, the customers should be able to go about their business without worrying about the disruption. As you can see, the focus has shifted from just looking at chasing the hacker to ensuring business continuity and resilience.
This previously was treated as separate components – confidentiality, integrity, and availability. But we’ve now summed it together into business resilience.
The basic tenets of all that we do are trying to identify risks and cyber-attacks as quickly as possible and protect the organisation by responding to those attacks. We need to respond to those threats; and where it materialises, we must recover as quickly as possible. So, all those things put together are the things that I do. But from the business perspective, the business must be resilient to all these things.
If a customer wants a bank account, the bank takes their name, email address, national identity number, and other important personal information. So let’s say your first name is Paul or James. You’re just one of the people with such a first name. Even if the bank adds your surname, others might still have that name. So, your name is not unique to you.
But when the bank adds your name to your email address and, to an extent, your date of birth, it points to you. All of this information, which identifies you as a person, is called the Personally Identifier Information (PII).
If this bank was hacked, and the attackers got access to this information, they could use it to create another bank account somewhere else and do things in your name. A concept called identity theft.
Apart from the business protecting its information assets, it is important to protect the information we collect from customers as well. This is because beyond us, that information can be used for other things which could put them at risk. While we are protecting our business and trying not to lose money, we also want to prevent data breaches because these data breaches will lead to other things that will affect our customers.
If you think about data protection, you’ll see it as an entity. If you don’t need certain information, don’t take it from your customers. Once you take all this information, you create a point of interest for attackers and put your customers at risk. So, if you don’t need this kind of information, don’t take it.
However, most of this information is useful and would help you give an excellent experience to your customers. If you have the picture of the person, their signature, or identity number, geo-location, device ID, etc., you can give a smoother experience to your customers. You can say because of all the information you have about them, they don’t need to use a password. It becomes more accessible for people to use such a product or service.
Likewise, if we connect to other entities and take information about our customers, we can make intelligent decisions about credit. So, a customer may receive an automated credit offering based on their spending pattern. Eg. “Dear customer, you qualify for a GH¢15,000 pre-approved loan. Press 1 to accept”. The customer will have access to credit without even asking – just like that. This gives one a good experience.
But what happens with all this gathered information if there is a data breach? You can sometimes refuse to collect certain information. However, it would mean restricting the kind of experience your customers would have to enjoy. To give your customers the best experience, you must increase the security of the data you are collecting.
As a company, you must understand what a bad day looks like for you. If you woke up today and something terrible happened, what would that look like?
If your services are wiped, and your customers can’t connect to anything, that’s a bad day for you. It could also be a bad day for you if there are riots and fire is set on your data centre. So, you need to know what a bad day looks like and understand its impact on your business.
You also need to identify what treasure you have that someone would want. We build many business models based on the data we’ve collected from our customers. Since we’re building and expanding our business on that data, that data is a treasure for us.
Once you know what that treasure is for you and your business, you must identify your information assets. This means identifying the kind of information you are holding. This includes customer information, staff information, customer balances, etc. Knowing your information assets lets you know their importance to your existence as a business.
Let’s use a case scenario of a crisis happening somewhere. We must consider how it would affect our business in such a case. A riot may affect customers, but the company itself may not be affected because we are in the cloud. Assuming we had the data centre in the middle of the area where the riot was happening, and there was a power disruption. Our customers will get disrupted and we must start thinking about protecting against the risk.
You’d always have to identify your assets and analyse its business impact. If this happens, how does it affect my business? Once you know how much it affects your business, that’s when you know the effort you need to put into protecting those assets.
After doing a business impact analysis, the next step is to develop measures to protect those assets. Let’s say you have a savings box and want to save US$1. Would you buy a thousand-dollar padlock to lock up a one-dollar asset? No, that’s overkill! So, think about it from that point of view and determine how much resources you need to put into protecting this asset.
Businesses can ensure they reduce data breaches by implementing specific things like:
To prevent data breaches, you also need to:
In summary, I’ll want to differentiate between cyber-security and cyber resilience for those who may still try to marry the correlation between both concepts. Cyber-security concerns itself with protecting assets. On the other hand, cyber resilience entails safeguarding the assets and ensuring that the business resumes operation as quickly as possible or guaranteeing that the company isn’t affected if possible.
Organisations should start thinking about cyber resilience as opposed to just regular cyber-security. At the end of the day, security is ensuring that the business still exists after an attack.