People or Tech – What is Most Important in the Defence Against Cyber Attacks?

Albania, Azerbaijan, Bosnia-Herzegovina, Kazakhstan, Kyrgyzstan, Macedonia, Montenegro, and Serbia – all countries Inzpire has trained in Cyber Security and Resilience.

So this month’s European Cyber Security Month means more to us than perhaps many other companies – we feel like we have had a hand in practically contributing to it, by putting people – not tech – front and centre.

Inzpire’s background in military Defensive Cyber Operations and strong credentials in training recently put us in a great position to offer our services to the Ministry of Defence when the Wider European Policy unit was looking for a partner to help strengthen cyber security and resilience in Europe and Central Asia. Hence our Cyber Lead, Graham Basnett and myself found ourselves in Shrivenham earlier this year training senior military personnel, deputy ministers and ministerial advisers from across these regions. Covering huge amounts of ground we were able to take UK best practice from the military and the National Cyber Security Centre and impart methods and lessons that the UK in general and the MoD specifically have learned over the last decade or so.

We feel that the fact that we have actually walked this path whilst serving put us in a really strong position to advise and support other nations when rallying and organising their cyber defences. Whilst serving, Inzpire’s cyber SMEs were part of setting up both RAF Air Command’s Cyber Strategy and indeed the implementation of the programme to realise it. In doing so we learned some painful lessons; it is great to be able to save allies in similar circumstances some time and effort, allowing them to improve their defences more quickly and efficiently. It seems appropriate to use a quote from a fellow European at this point:

“Only a fool learns from his own mistakes. The wise man learns from the mistakes of others
– ” – Otto Von Bismark

Cyber threats are one of those dangers that we all know are out there, but are one of the easiest threats to diminish or ignore, because until they strike we can persuade ourselves personally and institutionally that some of the small steps we have taken are adequate. The constant warnings of what may happen begin to get easy to ignore. Those in this field, however, understand that the most severe and meaningful attacks may never be detected with weak defences and that the most damaging will never be used until our adversaries really need them to. There is no practice, there is no dress rehearsal. The intangibility of cyber threats makes it difficult to argue for potential defences when decisions on funding allocation are being made at the higher levels of any organisation. This difficulty in recognising threat – and providing resources for defences – is exacerbated by the paralysis of choice when it comes to defence solutions. No-one has the resources to provide perfect cyber defence for their whole organisation, therefore a compromise between cost and security needs to be made. In order to make the best of these compromises an organisation needs to understand what its critical information requirements are, and how information is stored and moved around its systems. Many organisations make the mistake of not looking at the whole of the ‘Confidentiality, Integrity, Availability’ (CIA) triangle. GDPR has focussed many organisations’ attention on data loss prevention (confidentiality) without considering how a loss of data integrity or availability would affect their organisation. Increasing data confidentiality is likely to put data availability at increased risk. Only by fully understanding and analysing the problems can you come to the best possible solution for each individual organisation.

Image MoD Crown Copyright 2014

To penetrate this complexity, Inzpire absolutely supports the view advocated by the UK’s National Cyber Security Centre’s (NCSC), whose latest guidance is that:

“Instead of throwing money at the shiniest new security package to integrate or bolt on to your organisation” you should focus on “implementation of cybersecurity risk management” and “making people the strongest link” (taken from an interview with Dr Ian Levy, NCSC. The full interview can be found here).

The NCSC have shown over the past year that “relatively simple, small-scale interventions can have a disproportionately large effect” on Cyber Security (Dr Ian Levy, originally quoted here). This not only chimes with Inzpire’s experience in UK governmental institutions, it also works with the realities that most of our delegates share, which is that improvement is demanded against the backdrop of very real resource constraints. So our training not only provides partner nations with shortcuts to effective measures, it concentrates on people. We subscribe to the widely acknowledged view that around 80% of Cyber-attacks can be prevented by the proper training of people alone, so the answer is not more and more complex tech. Hence we provide training, steeped in real experience from the top of organisations to the bottom. Be it a masterclass for the senior decision makers to give them an understanding of threats and measures to take, or an upskilling of cyber professionals or indeed a basic level of awareness to the wider organisation, Inzpire’s training gives meaningful protection and resilience.

All our delegates from partner nations have independently rated our training as excellent across the board. But perhaps best of all, in the examples I have used of our European and Central Asian delegates, they also showed huge kindness and appreciation for the help and guidance we provided to them – hence I am now the proud owner of a vaguely terrifying looking bottle of Kyrgyzstani spirits. So I wish you ‘Ден соолугубуз үчүн!’ (Pronounced ‘Den soolugubuz üchün!‘) or Cheers!


, ,