Business Analysis and Cybersecurity: What is the link?
Bindu Channaveerappa
What comes to your mind when you see or hear the word “cybersecurity”?
When asked this question, a compliance team member might say, "it's about the compliance of cybersecurity laws, like, privacy". Somebody working in an IT team might say, "it is about securing the network or firewalls"; a system architect may say, "it is about securing the data and systems". And most business teams would say, "it's technical in nature, and hence the IT or cybersecurity team is responsible". If you were a business analyst, what would you say? Before you continue reading further, take a moment to ponder… what does cybersecurity mean to you?
In these articles, I’ll describe why cybersecurity should be an intrinsic part of business analysis and what BAs can do to address this mammoth problem. In this first part, I’ll outline the root cause of the problem by taking a look at a few cyber incidents, and in later editions, we'll focus on the solution.
Cybersecurity Is About More Than Just IT
A few years back, I would have said the same as the business teams: cybersecurity is the responsibility of the IT or the security teams, and I do not have to bother about it. And as a BA, eliciting and documenting my project's non-functional requirements was all I had to do with it until a personal experience fundamentally changed my perspective on cybersecurity.
I was working on a customer subscription product some time back, and the data available for the subscription was the organisation's intellectual property. I was assigned to work on an enhancement which was at the bottom of the team’s backlog. Note that the change was not seen as a business priority at all, which is why it was at the very bottom of the backlog.
It was brought to my attention that the business and technical teams had already devised a solution for that problem, but it was not yet implemented because there were other items on the backlog that had a higher priority. So as a good BA, I started to analyse the problem to get to the root cause of the issue and had conversations with the business, development and operations teams. The result of my analysis was shocking, as the root cause of the problem was a data breach. Even more startling was that the breach did not happen once but multiple times and, the operational reports showed discrepancies due to the heavy data downloads, yet nobody took notice and acted.
Just imagine what would have happened if all of the data had been downloaded and subsequently made freely available on the internet. What would be the impact on the organisation’s customers, and most important of all, what would have happened to the organisation's reputation? Wouldn't the organisation cease to exist? The crucial question I had was, why wasn't this a business priority?
Get It Wrong, And The Impact Is Significant
This is by no means an isolated incident. Let me share another couple of high-profile incidents.
One notable incident reportedly took place in HMRC's child benefit department in 2007. It was reported that all the child benefit data (including personal details of the children who were getting the benefit and their parents' personal and bank details) were copied onto password-protected but unencrypted CDs and posted to the National Audit Office through an unsecured and untracked channel. Some say that the CDs reached their destination, and some say they were lost in transit, but nobody knows for sure. This incident has been reported differently by different sources, but I want to bring your attention to some potential causes for this breach:
● Failure to separate the crucial/sensitive data
● Failure to encrypt the data
● Failure for not conveying the data in a secure and trackable way
Reports from the time suggest that the person who copied the data and posted the CDs was unaware of the risks and was only following the instructions given by their seniors. This incident took place in 2007, and clearly, we don't use CDs to transfer data anymore. We have made a lot of progress in terms of technology and ring-fenced data with legal regulations. But what about the "security mindset"? Have we made any progress? Let's consider a second incident that occurred nearly a decade later.
TalkTalk is an internet data provider. In 2009, TalkTalk acquired another company called Tiscali. As part of the acquisition, it is safe to assume that Tiscali's systems, processes, employees and customers were merged into TalkTalk. It appears that along with the systems, Tiscali's system vulnerabilities were onboarded too. Later in 2015, TalkTalk's database was compromised multiple times, and customer's personal and financial data were compromised.
In essence, TalkTalk suffered a significant and sustained cyber attack involving a ransom demand. At the beginning TalkTalk suspected that the records of up to 4 million customers as many as up to 15,656, had been compromised, and reports from the time suggest that TalkTalk did not have sufficient monitoring in place to know that breaches were taking place. . Later on, the ICO (Information Commissioner's Office) confirmed that the attack saw the personal details of 156,959 customers accessed, including the bank account number and sort code of 15,656 customers. As a result, TalkTalk incurred damages up to 40 million pounds, lost 101,000 customers, and the ICO imposed a £400,000 fine. The shocking fact was that Metropolitan Police confirmed the arrest of five people ranging in age from 15 to 20 in connection with this breach. Once again, here I would like to bring your attention to the following potential causes for the failure:
● Failure to remove the vulnerable webpages
● Failure to update a patch which was available three-and-a-half years before the attack
● Failure to undertake proactive monitoring activities to discover vulnerabilities
● Failure to implement the defence for a common type of attack
Like HMRC and TalkTalk, many more reputable organisations have become the victims of cybersecurity breaches. They had ticked all the security obligations. They had security frameworks implemented or accredited to one or other security standards. They had their legal and regulatory teams who complied with the laws. They had a dedicated cybersecurity team in place, and despite all boxes ticked, they were not secured.
We can see from the above incidents that the underlying cause is usually the lack of awareness or not having a security mindset. Research has repeatedly shown that most cybersecurity incidents are due to a lack of awareness, and "people" are the weakest link.
Why is this the case? Why are the organisations (people) not aware of Cybersecurity? What are we missing here? We’ll look at that in the next part of the article in the next edition.
References
BBC (2007), ‘UK's families put on fraud alert’, BBC Online News. Available at: http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm
BBC (2015), ‘TalkTalk hack 'affected 157,000 customers'’, BBC Online News. Available at: https://www.bbc.co.uk/news/business-34743185
Guardian (2015), ‘TalkTalk cyber-attack: company has received 'ransom demand'’, Guardian Online. Available at: https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack-company-has-received-ransom-demand
Guardian (2015), ‘TalkTalk hit with record £400k fine over cyber-attack’, Guardian Online. Available at: https://www.theguardian.com/business/2016/oct/05/talktalk-hit-with-record-400k-fine-over-cyber-attack Information Commissioner’s Office (ICO), ‘TalkTalk cyber attack – how the ICO’s investigation unfolded’, ICO Website. Available at: https://ico.org.uk/about-the-ico/media-centre/talktalk-cyber-attack-how-the-ico-investigation-unfolded/
Reuters, 2016, ‘TalkTalk lost more than 100,000 customers after cyber attack’, Reuters website. Available at: https://www.reuters.com/article/uk-talktalk-tlcm-gp-results-idUKKCN0VB0I7
Tripwire Integrity Management (2015), ‘TalkTalk Investigates Breach that Might Have Exposed 4M Customers' Info’, Tripwire Online Available at: https://www.tripwire.com/state-of-security/talktalk-investigates-breach-that-might-have-exposed-4m-customers-info
Wired (20150) ‘TalkTalk hack: fifth arrest is for blackmail’ , Wired Website, Available at: https://www.wired.co.uk/article/talktalk-hack-fifth-arrest-is-for-blackmail
