Paul Key, Group Chief Information Security Officer at Capita, shares five key building blocks that can reduce the impact of cyber-crime on your organisation.
Cyber security rightly attracts a great deal of attention and investment from organisations. Billions are at stake, and there is an arms race between the criminals who want to steal your precious data and the security teams trying to stop them. But no matter what you do, you can never be 100% secure - there’s always somebody out there who can breach a security control.
So, organisations need to do everything they can to be able to respond to an incident or attack.
That response needs to be structured, controlled and delivered in the right way and at the right speed to reduce the impact on your organisation. In a word, you need cyber resilience.
Cyber resilience isn’t just about responding and recovering, however. It’s also about continuously testing and improving the technology, people and processes involved in all aspects of cyber and information security for your organisation.
Let’s look at the five key building blocks for cyber resilience: getting the basics right; advocating for cyber security at the highest level; testing, testing and more testing; taking advantage of the latest automation technology; and shifting to a threat hunting mode.
Back to basics: Organisations need to start by implementing the basic requirements for cyber security. The National Cyber Security Centre lists the 10 basic requirements as:
- network security
- user education and awareness
- malware prevention
- removable media controls
- secure configuration
- user privileges
- incident management
- secure home / mobile working.
In addition to this, I always add one extra requirement: asset management. You can’t secure what you don’t know you have, so it’s important to maintain registers for your hardware, software and data.
Chief Information Security Officer (CISO) engagement: Over the last 5 to 10 years, the role of the CISO has evolved and taken on a new business focus, which has meant developing relationships with the C-suite as well as the security and risk functions.
This creates more awareness among senior executives about the importance of cyber security. If an attack does happen, it means that the response is immediately escalated to the highest level in the organisation, ensuring a quicker recovery and minimising damage. It also builds support among the organisation’s most senior decision makers for more investment into research and technology to proactively prepare for possible attacks.
Testing: A vital step in enhancing cyber resilience is to define, build, implement and review a series of tests that can assure your organisation that your cyber security measures for people, processes and technology are in place and working.
These will be a mix of traditional IT security health checks and penetration tests and drills known as ‘red team / blue team / purple team’, a cyber security assessment technique that uses simulated attacks to gauge the strength of the organisation’s security capabilities and identify areas for improvement.
Advanced technology and automation: Organisations need to investigate new technologies as soon as they come onto the market, to make sure they’re up to date with the ever-changing nature of cyber threats.
Being aware of new technology is important for making sure your response is up to date, too. Automation, for example, can help to reduce the manual effort required to analyse data and workflows. It can also improve your security results by delivering standard, repeatable and consistent outcomes for your security analysis, testing and response.
Proactive threat hunting: Make your organisation capable of proactively hunting for threats to you and your sector, using a mix of people and technology to stay one step ahead of the criminals.
Instead of just reacting to incidents when they happen, your security operations centre can move to a more proactive cyber defence model by using security orchestration, automation and response (SOAR) platforms that can orchestrate your entire security tool stack to ensure all tools and technologies are working collectively, freeing up your team for proactive threat hunting.
Finally, it’s important to emphasise that people play a part in everything we do. We mustn’t forget the human side of security. People are, unfortunately, prone to error and non-compliance and are often the weak link in the chain, which creates a point of entry for attacks such as email phishing scams. Education, awareness, communication and testing need to be carried out with these weaknesses in human behaviour in mind.
The way forward in security is to build relationships, listen, communicate and work together to overcome the multiple threats and challenges that organisations face today. Security is a team effort and we all need to be involved.