10 MORE Risks (or Another Sleepless Night?)

It is 8 o’clock and you should have already gone home, but here you are, reading a security blog. You have missed bedtime, disrupted dinner … you are a bad parent, a poor partner, an irresponsible cat-owner … whichever.

You have an important role and there is a lot to worry about: a major ERP project that is drifting out of control, the expectation that you will deliver business analytics off the back of a data estate that is in bad need of being sorted out, the constant risk of losing your key digital talent, cyber intrusions and data breaches, a soaring cloud compute bill, the list goes on. You are responsible for a large part of your Board’s risk register – most of it amber, quite a bit red – not least security.

The very last thing you need is more things to worry about … and yet here we are: 10 MORE risks.

• Supply chain vulnerability. Your supply chains are becoming ever more complex. Not simply the supply chains that relate to your organisation’s products, or the services that you provide, but also the supply chains that underpin your capabilities: core IT, logistics, estate, facilities, energy, the list goes on. Furthermore, these supply chains are bound to yours digitally. It is almost impossible to map the dependencies and the resultant vulnerability they introduce.

• Geopolitics of technology. You operate a global business, with distributed supply and customer bases. Increasingly however, you are exposed to the geopolitics of technology: where is your data, where do your key suppliers operate from, what standards do you adhere to and who is making them? Sanctions, technology embargoes and dual-use risks increasingly impinge on your choices and drive up your risk.

• Disrupted data economy. Data confers business advantage, and building a data position is increasingly the goal of most businesses. Large platforms harvest significant data by a range of means that exploit asymmetries in knowledge, and gatekeeper positions in important networks. There is, however, a growing reaction – regulatory and technological. This includes privacy tech and new architectural models. Data dominance may no longer be a sustainable business strategy.

• Changing adversaries. Hitherto the principal cyber-security adversaries have been foolishness – the unencrypted data stick, spreadsheet mailed to a home address, a click on a phishing email, test data exposed on a dev site – and low-grade criminality with a side-helping of maliciousness. There is however a fast-growing risk from high-end adversaries (nation-state or state-supported). Private businesses, aside from being wealthy targets, are increasingly recognised as critical to national resilience and security, broadly construed. You are an explicit target, or potential victims of the spill-over effect of tech you have in common with other targets.

• Technological fragility. Your increasing use of AI and ML is driving business advantage but it is fragile. Small errors in training or exposure to adversarial input can result in problems that are very difficult to observe and impossible to unpick. The more you drive these systems into business-critical functions the higher the risk.

• Social engineering. Exploiting weaknesses in employees through social engineering is a fundamental vector of security risk and straightforward scamming, from tailgating at an entrance to responding to a ‘friendly’ approach that is anything but. Whilst this might appear to be old news, the combination of much improved behavioural insight and enhanced target intelligence obtained from social media has led to a fused social engineering and technical threat.

• Technical tradecraft. Whilst increasing attention is paid to information technology and even to the ‘edge’ – sensing, embedded systems, connected equipment and so on – the threat of technical intelligence, gathered through audio, video, electromagnetic environment and other modalities is, in many organisations, a blind spot. These vulnerabilities have increased with widely available, high spec, low-cost devices.

• Open source exposure. Many organisations have placed open source components in the core of their infrastructure, either deliberately, or integrated within other systems. The benefits for security of a code base that is open to scrutiny are well established. Many of the contributors to that code are however, unknown and their motivations not explicit. The ability to scrutinise code does not always mean that the system has actually been the subject of scrutiny.

• Security infrastructure. A more rigorous approach to trust, access and identity is increasingly the hallmark of many organisations adopting an uprated approach to their security. This makes sense, but this new infrastructure presents an important opportunity to a capable adversary. Compromising this layer of organisational protection provides a powerful means of undermining the entire security posture of that organisation.

• Knowledge gaps. With the growing complexity of security and the rapid concurrent changes in technology, targets and threats, the ability to stay on top of the risks is beyond all but the most capable of organisations. It is possible to outsource these risks to a consultant or a vendor to a limited extent, but security is bound into the texture of the business and its operational model, and it is difficult to externalise this aspect of risk. Thus closing the knowledge gap is critical.

So, go home. You need the rest. GALLOS is thinking about all of this, and more.