Given how commonplace cyber attacks have become on a global basis, the topic of cyber security is moving increasingly up the Boardroom agenda, and rightly so. 72% of large businesses here in the UK have said that they’ve identified at least one cyber security breach in the last 12 months, while 40% experienced a breach or an attack at least once a month. Clearly, businesses are aware of the prevalence and potential damage that attacks can cause, but how can they be sure that their defence strategy is up to the task? Alan Calder offers his views.
How long would it take you to identify a security breach within your organisation? Hours? Days? Months? The average is actually 101 days. That’s three months, then, that cyber criminals have to exploit the sensitive data they’ve acquired due to a flaw in a company’s security systems or processes.
Simple security measures are clearly not enough. Organisations must be equipped and ready to respond to attacks, control the potential fall-out and recover as quickly and easily as possible.
Ranging from the identification of threats through to the importance of response and recovery, let’s address the concerns of business before, during and after cyber attacks and examine ways in which to avoid them altogether.
Identify potential threats
The first step should be to undertake a thorough risk assessment to highlight any threats that the organisation currently faces to its information assets. Any data that a company values, be that digital assets, offline content or employee knowledge, will also be valuable to a cyber criminal – all require protection.
There are a number of risks that could impact an organisation and its information assets, from cyber attacks to human error, theft or accidental loss and even natural disasters. This is where penetration testing can help to identify weaknesses in an organisation’s infrastructure and networks by highlighting vulnerabilities before cyber attackers are able to exploit them.
These risks must then be fully evaluated to determine how significant the threat is – how likely is the threat to happen? What could be the resulting impact?
Protection against attack episodes
The next step is to deploy tools to prevent the attacks, or at least reduce their likelihood or impact. These should take the form of technical controls, such as firewalls, as well as process controls, including policy changes.
Detective controls can also be used to observe the environment to detect risk before it causes harm. This could include CCTV cameras or intrusion detection systems monitoring the network. Reactive controls can also be deployed to take action in response to an event, such as locking down a particular area or encrypting data after a certain number of failed login attempts.
While it’s certainly true that technical functions are essential to keep information secure, it’s crucial to ensure any risks related to human error and process failures are not overlooked and an holistic approach is implemented to keep the organisation secure.
Information security frameworks such as ISO 27001 consider the people and process aspects of keeping data secure, such as staff awareness, regular training and a culture of continual improvement. An ISO-27001-compliant information security management system is also a risk management approach, meaning that the security measures an organisation should implement are tailored to the specific threats it could face, as well as its risk appetite.
By using this approach, organisations can be confident in the fact that they’re addressing real threats to the business and not wasting time or resources protecting against threats that are unlikely to happen.
It’s true that not all attacks can be prevented, which is exactly why it’s essential to have robust detection mechanisms in place, such as reviewing logs and constant network monitoring in place to detect unusual activity. This way, organisations can be in control of their defences and in a position to identify threats and mitigate breaches before they cause substantial damage.
Respond to incidents
Training is an important factor in an organisation’s cyber resilience strategy, so that in the event of a breach the right response can be followed to limit the potential fallout. Research suggests that over half of organisations don’t have processes in place to appropriately train staff in this area. In the current compliance environment, where legislation such as the European Union’s General Data Protection Regulation requires all staff that handle personal data to receive appropriate training, and imposes strong penalties for organisations that don’t, this is a worrying statistic.
A business continuity management strategy will include a comprehensive plan detailing who to contact in the event of a breach, processes for containing the incident and information on how to keep the situation stable. With a step-by-step approach, the fall-out from a breach can be minimised as much as possible to keep assets protected and the organisation running at an optimum level.
It’s also important to record all available evidence and keep a log of response procedures to be reviewed at a later date. This is not only necessary to legally inform subjects that may have been affected by the breach, but also as an audit trail to improve the response process for future incidents.
Recover from an attack
Once the situation is stable following a breach, action should be taken to prevent similar incidents from happening again, or at least ensure that the incident will have a lesser impact in future.
Of course, how an organisation recovers from an attack will vary depending on the nature of the incident and the company. For example, the Security of Network and Information Systems Regulations dictate specific business continuity processes for certain essential services, such as transport, energy, healthcare and cloud computing, in order to ensure the continuation of these systems in a determined effort to keep businesses, citizens and public services protected.
The business continuity management strategy should be comprehensive enough to enable an organisation to operate as close to normal as possible while it continues to fully recover from an incident. With an established cyber resilience strategy in place and following the five steps outlined, an organisation will be able to detect and survive any incident – and quickly return to ‘business as usual’.
Alan Calder is CEO of GRC International plc (parent company of IT Governance)