WILLIAMS RACING CASE STUDY
Williams is a leading Formula One team and advanced engineering company. Formed in 1977 by Sir Frank Williams and Sir Patrick Head, the team has secured 16 FIA Formula One World Championship titles since its foundation.
Over the last two years of our technical partnership, Thales has worked with Williams on analysing both the technical and human elements of cyber security and delivering recommendations to remedy any vulnerabilities.
A consulting led approach allowed us to understand how the business works and therefore what the appropriate solutions are. No two businesses are alike, therefore no two cyber-security approaches should be the same. The best security solutions are the ones that make it easy to work securely and difficult to work insecurely – you can only build these if you understand how the company works.
Analysing the sociotechnical (interaction between humans and technology) elements of cyber security enabled us to determine a holistic view of the business and where potential vulnerabilities existed. The three primary ways we conducted this analysis was: conducting a cyber ‘health’ check, utilising a Cyber Human Error Assessment Tool (CHEAT®) and Phishing campaign.
Addressing the human factors in Cyber Security
The human element, or insider threat, has been identified as a contributory factor in over 60% of cyber security incidents. Insider threats can be malicious attacks, but the majority tend to be unintentional human errors such as inadvertently installing malware, trusting the wrong person or website, or even a lack of awareness surrounding physical space. You can think of this more in a case of trust – are you a generally trusting and friendly work environment that allows someone to tail-gate into your building? Do you challenge strangers to produce ID, or just assume they work there and don’t like to be seen as being unfriendly?
For our work with Williams, we employed the use of Thales’s Cyber Human Error Assessment Tool - designed to capture and mitigate the human element of cyber security. Specifically, we followed a four staged approach:
> Planning stage where we scoped the assessment and identified stakeholders for data collection
> Data collection where we interviewed personnel in specified roles, and disseminated a questionnaire
> Triangulate the data where we combined the data from different sources (an automated process) and analysed the results
> Report where we presented the findings as prioritised risks and associated mitigating recommendations, highlighting quick wins.
We then discussed the key findings with Williams’ CIO and identified the next steps.
Last year over three quarters of companies reported falling victim to phishing attacks. This shouldn’t be that shocking – phishing is a type of fraud and attackers are getting better and more sophisticated at fooling people over email. We require people to use email as a trusted platform for conducting business – which attackers take advantage of.
Williams wanted to evaluate the level of risk that a phishing attacks posed to them through a real-world assessment of the every-day security awareness of all their employees from board-level to the engineers. Specifically we:
> Registered similar spoof domains
> Built a platform to send the emails and securely harvest any credentials
> Created multiple targeted email templates
> Timed the assessments to ensure the highest amount of engagement
Cyber Health Check
A Cyber Health Check is like an annual MOT for your vehicle but we’re analysing an organisations technical and human aspects of cyber security.
Once a comprehensive audit has been completed, we define identified risks, work out how likely they are to happen, and assess their impact on your business
For our work with Williams, we audited various elements of their cyber security processes including:
> Performed a Vulnerability assessment to identify any unmitigated technical vulnerabilities through penetration-testing and other offensive security assessment methodologies
> Information Assurance Maturity assessment to identify he level of maturity of policies, processes and procedures throughout Williams utilising an industry best-practice approach
> Combined the assessment results together to directly identify where a gap in governance maturity leads to technical vulnerabilities that can directly cause harm to the organisation
> Proposed a set of objectives and recommendations to drive an organisational security programme, presenting an initial suite of projects and outlines a security programme roadmap. Incorporating a gap analysis against industry standards
We took a consulting led approach to helping Williams address their cyber security challenges – we listened & understood what their issues were and what they cared about. We then helped them assess where they were and what they needed to do in order to become a mature cyber secure business, and we’re continuing to help them on this journey.