(Special thanks to Colin McKinty of BAE Systems for his time and insights; please be sure to read our previous Cyber Security Chicago installments with David Juniper, Marcin Kleczynski, Sandra Fathi and Joe Rogalski)
One of the best strategies that nonprofits and social enterprise organizations can implement in taking cybersecurity measures is determining their overall value. Determining that value can be complicated, yet the increasing impact on cybercrime on organizations requires a greater investment of time and effort. Our coverage of Cyber Security Chicago closes with a conversation with Colin McKinty of BAE Systems about how organizations assess risk...and the steps that mission-driven organizations can take to reduce those risks.
Cyber threats to organizations have evolved over the years, and their complexity and intricacy often make it difficult to determine an appropriate defense. Initially, cyberattacks were opportunistic and driven by individuals at the moment. Over time, cyber attacks were more planned and driven either by individuals and small groups and evolved into organized efforts by teams for hire. Eventually, hackers and funded campaigns lead to very tailored cyberattacks with a specific focus and goal. (The Bangladeshi bank heist is a great recent example of cybercrime).
In talking with Colin McKinty, one key lesson for nonprofits and mission-driven organizations is to examine the people and processes within their organization as well as the technology. Although there are numerous software packages and other tools that can protect an organization's network against attack, securing and hiring the right people can also be critical. (Not just in the sense of avoiding the obvious glitches like sharing passwords, but also ensuring that the right person is using the right tool; it can be often easier to justify a technology spend than a spend to invest in people and processes).
But as stated at the beginning of this post, Colin McKinty asserted that every organization needs to start crafting its cybersecurity strategy with an awareness of its value. For nonprofits and mission-driven organizations, their value is found in the tools, resources, and individuals needed to fulfill its mission. Those resources can include their intellectual property, their data and customer records, and internal infrastructure. (An example would be manufacturing - internally, a manufacturer needs raw materials, special tools, and other items that would be considered valuable and capable of being attacked).
As stated in our previous Cyber Security Chicago posts, a risk assessment determining the potential risks and capacity to handle them is required. Analysis of these factors can drive decision making and determine whether or not an organization can live with that risk...or develop processes to handle them. (Establishing a "business case" for handling cybersecurity risks can have an influence on higher-level executives).
One area of focus for organizations when handling cybersecurity is building on the foundations of security. Although there may be internal excitement about dealing with cyber attacks through technology, often the policies and processes of an organization get overlooked. Email can serve as a great foundational example since that serves as a conduit for many kinds of cyber attacks (including spearphishing). Examining user protocol, the technology already in place, and organizational policies can lead to greater opportunities to enhance internal security. In addition, people can often serve as advocates for greater security, especially focusing on building stronger internal resources to handle both changes in technology and process.
But most importantly, given the increasing emphasis on cybersecurity, is the idea of building a community of cybersecurity advocates. Nonprofits, social enterprise, and other mission-driven organizations have community-building as part of their approach and should be liaising with other like-minded organizations around cybersecurity. With greater efforts to build networks around data, network, and other forms of cybersecurity, this allows security to become a common language between organizations.
With greater efforts to build a community around cybersecurity (including Cyber Security Chicago), the importance of securing data and other critical information in the digital age cannot be overestimated. This is a trend that is continuing to grow...and I'm glad to have been able to cover these issues for the blog.
And as always, thanks for reading!