All organizations possess information, or data, that is either critical or sensitive. This information is a substantial component of the organization’s intellectual capital. ‘Information is widely regarded as the lifeblood of modern business.’[5] 87% of businesses now identify themselves as ‘highly dependent’ on electronic information and the systems that process it. This information faces a range of threats, some simple, some complex, and all with the potential to significantly damage an organization.
Threats in the digital world, as in the analogue one, originate with people. These people fall into five groups:
Criminals (thieves, fraudsters, organized crime),
Malefactors (hackers, vandals, terrorists, cyber-warriors, some ex-employees and other disgruntled or vengeful individuals),
Spies (commercial and governmental),
Undesirables (scam artists, spammers, ‘ethical’ hackers and nerds), and
The incompetent, or the simply unaware (staff, contractors, customers and other third parties).
From an organizational perspective, these people are found both inside and outside the organization (the balance overall is probably 50:50). There are a substantial number of people in each category and, because of the nature of the information economy, they are able to exert an influence out of proportion to their numbers.
The digital threats, and the type of attacks that express them, have the same sort of objectives as they do in the analogue world, but because of the nature of computers, digital data and the Internet, their characteristics are different. These characteristics, as identified by Bruce Schneier[6], are:
Automation: computers automate mundane tasks; illegal or destructive activity with which someone would struggle to cost-effectively achieve critical mass in the analogue world can be automated. Computers make Denial of Service attacks and large scale junk mail possible, just as they enable 100% surveillance of the Internet communications traffic of any individual or organization.
Data collection: digital data requires less storage space than the equivalent analogue information and can be more quickly harvested, stored and mined. What can be done will (often) be done and, as a result, massive databases of personal and commercial data now exist all over the world. They make spamming, surveillance and identity theft that much easier.
Action at a distance: in cyberspace, the bad guys are just a mouse click away; the criminal who is targeting your network may be based in Chechnya, Moldavia or on a Pacific island. He will be just as effective, quick and silent as a criminal down the road, far harder to trace and arrest than his analogue equivalent, and financially more successful.
Propagation: the Web enables ideas, skills and digital tools to be shared around the world within hours. It also enables techniques to be widely replicated and a vast array of computers to be linked into any one attack.
The types of attacks that occur in cyberspace are:
Criminal attacks (fraud, theft and grand larceny, identity theft, hacking, extortion, phishing, IPR and copyright theft, piracy, brand theft, ‘spoofing’)
Destructive attacks (cyber-terrorism, hackers, ex-employees, vengeful individuals, cyber war, cyber-vandals, anarchists, viruses)
Nerd attacks (Denial of Service attacks, publicity hounds, adware)
Espionage attacks (data and IPR theft, spyware)
These attacks affect businesses indiscriminately. Well understood software flaws (called ‘vulnerabilities’, by both the ‘ethical’ and unethical sides of the hacking industry) are widely distributed through an increasingly always-on Internet of ill-defended computers. Individual businesses are rarely directly or individually targeted in an attack (unless they have very substantial assets are some other significant value to the attacker), but they are nevertheless at risk in an environment where automation, action at a distance and propagation enable an attacker to successfully target a very big number of smaller fish. Why target one computer when you can target them all?
Malefactors know that the majority of smaller businesses have inadequate cyber-protection and they exploit this, for instance commandeering large numbers of unprotected computers in huge zombie networks, to mount large scale attacks on targets, usually for purposes of extortion, and to distribute floods of spam. Defences need to be proportionate.
Large businesses and public sector organizations, who have significant assets to protect or who make attractive, high-profile targets, are directly threatened. Their networks are more extensive and more complex, and the quantity and diversity of people and organizations involved with them so great, that they have to be very systematic in identifying and responding to the more significant threats they face.
The standard provides guidance on identifying and assessing threats. Not all threats are likely to occur and, for those that are, it is essential to have appropriate defences in place.