The climate change conference, COP26, was hailed as being a chance to truly address urgent climate change matters such as fossil fuel use. Some of the areas of the climate debate discussed at COP26 are not only of vital importance to humankind, but also have an interesting overlap with cybersecurity issues of today.
Here is a discussion looking at how five key climate debate areas can help organisations handle cybersecurity more effectively.
The climate debate and cybersecurity
Accenture recorded a tripling of cyber-attacks in the first half of 2021: ransomware and credential theft being the top two threats. Managing the ever-increasing volumes of sophisticated, and often complex multi-step cyber-attacks, is challenging.
A sound cybersecurity strategy is a good place to start overcoming the hurdles of cybersecurity attack mitigation; so being able to turn to other disciplines to look at how they manage complex issues is helpful. The climate change debate offers five key areas that provide much-needed insights to help form a robust cybersecurity strategy. Whilst climate change may seem distinct from cybersecurity, the underlying ethos and approach provide a different angle in how to handle complex, continuously changing, cyber-threats:
Issue one: biodiversity
World-renowned biologist, E.O. Wilson said on diversity:
“In ecosystems, we speak of the same thing – of a balanced portfolio – when it comes to the diversity of species that exists in an ecosystem, and the flexibility of that ecosystem. A parallel that fits a broad model of what keeps a system healthy, growing, and resistant to change.”
The climate change debate recognises that biodiversity, i.e., having a broad range of species living on the planet, is a vital part of a healthy ecosystem.
This idea of diversity and a “balanced portfolio” also applies in a cybersecurity context. A cybersecurity strategy should make use of a diverse set of security solutions and measures to stem the tidal wave of cyber-attacks. This multi-layered approach to security is reflected in many security frameworks, including the NIST Cyber Security Framework. These frameworks recommend using a variety of security tools and measures that are applied as layers balanced across an enterprise’s IT network, devices, and people. However, setting these measures in place and keeping them up to date as the security landscape changes can be a challenge. Various solutions exist to help in this endeavour including Security Operation Centres (SOC) that handle security on behalf of an organisation and the use of deep security (as-a-Service) to build the layers of security required to manage the diverse cybersecurity landscape.
Issue two: sustainability
The United Nations states that ”The links between climate change and sustainable development are strong.” Sustainability is also something that has repercussions in preventing cybersecurity incidents.
A cybersecurity strategy cannot afford to take a ‘short term gain’ view without an understanding that this is likely to lead to ‘long term pain’. Security strategies must be resilient to change as cybercriminals continuously evolve tactics and techniques to evade security measures.
Cybercriminals use this holistic approach to attack enterprise systems, manipulating staff via phishing and social engineering, so any sustainable push back against cyber-threats must recognise this changeability. It is of fundamental importance to develop a security approach that covers a 360-degree view of your business operations and people. The key to sustainable security is to ensure that any solutions used to mitigate cyber-attacks are continuously updated and modified to fit the changing cybersecurity climate.
Issue three: carbon and land management
The Royal Society Intergovernmental Panel on Climate Change (IPCC) points out that “sustainable land management has a vital role to play in tackling climate change and adapting to its impacts”. To achieve this, visibility of terrestrial ecosystems, including forests and grasslands, is a must.
The visibility of your IT ecosystem is a parallel with this aspect of the climate change debate. Visibility of your corporate IT assets, employee devices, and data, is necessary to ensure that you can classify those assets. This classification then provides the basis for enforcing appropriate, risk-based, cybersecurity measures.
Issue four: adaptation
According to The United Nations, adaptation in the context of climate change refers to “changes in processes, practices, and structures to moderate potential damages or to benefit from opportunities associated with climate change”.
The ability to be adaptive in a fluid cybersecurity landscape is an important way to take on the challenge of this evolving threat-scape. This adaptability must be incorporated into any cybersecurity framework and layered security approach. Any measures that are used to mitigate security threats and associated technologies, should be adaptive to handle changes in threat tactics and techniques used to otherwise evade detection. Examples include:
- Security awareness training: training should be carried out regularly to keep employees up to date with changes in social engineering techniques and phishing tactics
- Smart security tools: solutions such as anti-malware, UEBA (User and Entity Behaviour Analytics), and email security gateways, all can potentially utilise machine learning. These intelligent technologies provide for adaptive learning to respond to new threats such as zero-day vulnerabilities and to spot unusual behaviour that signals a potential cyber-attack.
Issue five: climate change risk assessment
In England, the Climate Change Committee (CCC) looks at various factors that impact the risk levels of climate change across the UK and the globe. The CCC provisions risk assessment covering 61 risks and opportunities from any climate change impact; these risks include those affecting “business, infrastructure, housing, the natural environment, our health and risks from the impacts of climate change internationally.”
Risk assessments are a fundamental part of an organisation’s cybersecurity strategy. A cybersecurity risk assessment is a process that evaluates the overall risk to an organisation from cyber-threats. The process also identifies risk areas and analyses these threats. The information generated from the risk assessment allows an organisation to establish baseline protection against these risk areas, based on risk-levels. Privacy is also an area that can benefit from risk assessment. In the context of privacy, a Data Privacy Impact Assessment (DPIA) identifies and minimises the risks associated with the processing of personal data. Both processes help establish and maintain the regulatory compliance of an organisation.
Adaptation and the changing climate of cybersecurity
Climate change is a complicated situation with the world working to minimise the impact, by applying decisions and strategies based on key areas of understanding. These same principles that are leading the climate debate, such as adaptation, diversity, and risk assessments, also have a key role to play in cybersecurity threat mitigation. By being adaptive to continuous cybersecurity challenges a business is more likely to survive the onslaught of cyber-attacks.
Find Out More
Email: firstname.lastname@example.org Phone: +353 818 229 239