This article was produced in partnership with Altus
Mia Wallace of Insurance Business UK sat down with Aaron Cain, cyber security consultant at Altus to discuss how technological upheavals are opening up new cyber risk exposures
His four decades of experience with consulting organisations from every conceivable industry on the risks that customers face have imparted Altus’s Aaron Cain with a keen understanding of the pitfalls and perils of information without insight, data without analytics and knowledge without accessibility.
As a cyber security consultant at Altus, Cain (pictured) sees first-hand how new areas of exposure are opening up for businesses all the time – and how the role of quality and accessible insights and advice has come into its own amid this tumultuous environment. The tendency with conversations around cyber, he said, is that they become very theoretical and people miss that cyber risk is not an abstract notion but something hardwired even into the physical infrastructure that makes up our workplaces.
“A big concern at the moment is having your infrastructure, in terms of your PCs, your accessible pieces etc internal,” he said. “You’ve got the boundary, you’ve got the shell, whether you're going to use Cloud or whether you're going to use something else – it's still marginally within your control. However, what has now opened up in terms of new exposures, very specifically, is the role of operational technology.”
Read more: Staggering 90% of cyber risk uninsured
To get a full view of the security exposures they face, he said, businesses need to tap into the threat posed by the interconnectivity resulting from the Internet of Things infrastructure of a modern-day office. He cited an example, where in the past he scanned an office he was working in to determine its exposures and found that everything from the copier to the coffee machine was digitally transmitting information to its manufacturer.
“What's happened is that what used to be a wall around the organisation has become a kind of mesh fishing net,” he said. “And isn’t even things as ludicrous as that, it’s simple things like the sensors that sit in a computer room that tell you whether or not you’re having a fire. They’re connected to the outside world to alert and talk to the fire department. But that connection runs through your network and the question becomes - is it properly segmented?”
Cain noted that the expansion of the operating environment of modern workplaces is a processing gap that then represents part of an attack vector where hackers can enter and do harm. And it’s a problem compounded by the changing nature of software as well. Back in the old monolithic days, he said, when he used to write software for IBM, everything he wrote was his and if he made an error, it was his error.
“Now, there's more and more software being developed under open source,” he said. “And with open source, you get a lot faster generation of software, but you also then inherit other people's problems. The Log4j is a classic example, it sat there for generations of software development and nobody really thought about it until somebody thought ‘hang on, I could exploit this’, only to find out that it's in enterprises, instances across the world.”
No company is an island because of the interconnectivity of supply vectors, he said, as they’re all using software services and other solutions, often without understanding the risk that goes with that.
COVID-19 and the wholesale move to working from home that took place across organisations from every sector, opened up new paradigms, he said, as the natural perimeter of workplaces became extended. But it’s not just remote working, Bring Your Own Device and dynamic workload management (i.e. Virtual Machines, Containerisation) have also extended that perimeter, which means that consideration has to be given to:
“COVID impacted to an extent because companies are now assuming somebody else’s problems,” he said. “The reason being that previously when you dialled into the office, you might have had VPN etc but it was a limited time thing and you knew you had to be careful… So, now you’ve basically got two things, number one, you assume other people’s hygiene. And there are a lot of employees out there who still think it’s the company’s responsibility to protect them from cyber risk, and nothing to do with them.”
But using a company device – whether that’s a laptop, a tablet or a mobile – while working from home means that employees need to be more aware of their cyber hygiene, and act responsibly. This means ensuring that the device security is kept up to date, he said, and ensuring that should the device be lost, stolen or destroyed – the corporate data that remains on it can be restored or wiped.
Going back to the idea that cyber risk needs to move out of the realm of the theoretical, he also highlighted the very physical cyber exposures that exist. These critical considerations include things as simple as where your PC screens are positioned, monitoring who has access to the interior and exterior of your building, and ensuring that WiFi extenders are secure.
“Moving to this paradigm, you inherit [these exposures],” he said. “Unfortunately, these are often not discussed when companies are providing policies, procedures, documentation, and employee training about cyber risk. Most of that documentation still assumes that we are an on-site monolithic company with everybody in the office all the time.”
Existing employee handbooks might discuss device security or VPNs, Cain said, but they need to move one step further – to emphasise a holistic perspective on what good cyber hygiene looks like for a remote or on-site worker.
It is in the provision of that broad, holistic overview of a business’s cyber risks and, perhaps more critically, of an accessible breakdown of how to mitigate those exposures where Altus really shines. He noted that it’s a common theme among some of the larger consultancies in the market that the reports they provide – while exceptional in terms of technical content – are being simplified without being made accessible.
Businesses are being charged extraordinary amounts of money for dense reports that they end up passing on to their cyber insurance provider, or in a worst-case scenario to the ICO, without ever reviewing them closely themselves. Also, he noted that the nature of how these reports are created – through intensive, technically worded question sets - also means that the recommendations they generate are sometimes not as accurate as they could be as the business in question doesn’t really understand what’s being asked much less how to answer it.
“Getting this information into a useable format is so important,” he said. “It comes back to the same thing the legal profession has gone through… What we’re doing is getting this information down to common, plain English – away from these acronym-strewn commentaries that make it quicker for us because it’s understandable internally but which don’t help the customer.
“That customer needs information, so policies need to take that next step forward and get away from that ‘this is what it said in the template package that I got for all my HR policies.’ Because are they fit for purpose? In this case, perhaps not.”
Having worked across a variety of consultancies, Cain has a lived experience of what true best practice looks like and he emphasised that he is very grateful to be working for Altus – with its two-decade strong emphasis on real-world programme delivery.
“They basically say that if you can’t put in a diagram then you haven’t simplified it enough,” he said. “Once you can get [that advisory report] to the point that will fit into that Altus programme delivery framework visual description then you’re there.”
One of the problems with standard reports is that these are broken down into three key levels. You have the board report, which is simplified. You have the technical report, which is comprehensive. And you have the justification report – which is essentially completely indecipherable to anybody who is not a cybersecurity expert. The justification report is one which gets given to the lawyers in the event of a breach, he said, to demonstrate what preventative actions have been taken.
“What Altus does is when we produce the package that goes to the customer, it is one seamless package,” he said. “The board can see as much or as little detail as they want. And the technical team see what the board is seeing and sees what's going on in their environment. It is an absolutely fantastic way to present information in an understandable and usable fashion.”
With over four decades of experience in multiple market verticals, Aaron Cain has worked to integrate and secure business critical information flows across technology stacks ranging from legacy systems to cloud computing.
During years of independent consulting assignments based in the UK and EU, Aaron has developed the ability to frame complex technical and security concepts in concise and clear business terminology. Leveraging his experience with banking, hedge fund and insurance clients, Aaron will be working within Altus to develop specialised cyber security solutions and programmes for the financial services marketplace.
