It can be quite difficult to know where to begin to make sure your business is not the next headline victim of a cyber attack. So here are my four areas in which we all need to prioritise our efforts...
2014 saw high profile cyber attacks against large banks, household name retailers and Hollywood. Cyber criminals stealing credit card information, sensitive information being extracted by nation state or industrial rivals or destruction of information systems were fairly regular features of our daily news.
It can be quite difficult to know where to begin to make sure your business is not the next headline victim of a cyber attack. So here are my four areas in which we all need to prioritise our efforts:
First and foremost it is vital to really understand the threat to your business. Seek out advice, share your experiences. The threat intelligence team play a central role in our business. Threat intelligence is the combination of technology focused and business focused risk languages – the best cyber defenders are fluent in both.
When done well threat intelligence is the key linkage in translating the technology risk, with its jargon and terminology, into the business risk language understood by management and policy makers.
As most of us have experienced, security measures add inconvenience to our jobs and daily lives. However, as cumbersome as they can be, most of us have learned to live with waiting while patches are being installed or calling the help desk to report that we are locked out and need to have a password reset (some of us are more guilty than others on that one).
However, in some environments, even these inconveniences are intolerable, especially when uptime is not just important, it’s critical. Imagine being in a power plant and not receiving a critical system alarm in time to respond to it, or having to handle it while the workstation decides to reboot itself. Or, having to remember a long and complex password during a chemical process upset. As a result, many security measures that are acceptable in ‘normal’ IT world may not be acceptable in an industrial environment.
What is needed are solutions which are engineered specifically for industrial applications and securing communications between ‘things’ rather than people; if not it may be IT security measures themselves that pose one of the biggest threats to industrial system security.
If security is too painful or disruptive, controls will be bypassed, disabled, postponed, or just plain ignored. Not only does this leave a company more vulnerable, it also harms future attempts to help users to secure their systems.
Understanding the data available from all of the security tools already at your disposal is now a common need in most large organisations but as raised in some recent posts below – “what are those devices already telling you about attacks on your network? More importantly, you need to be able to identify threats that do not immediately stand-out within the raw data.
Sophisticated cyber thieves will try to hide themselves and you should also have the capability to discover, understand and react to these attacks.” So apart from reading more, better monitoring knitted tightly with the predictive abilities of threat intelligence (in my first bullet) and incident response in my next is absolutely crucial.
Obviously we all hope that we respond rapidly and accurately when crisis hits. But the fact is that, just like the emergency services, those that really do respond well, make response their profession. They have the experience and processes that can only come from training, practice and real-life incidents.
In 2012, to make the United Kingdom more resilient to cyber attacks, a new Cyber Incident Response Scheme was created by GCHQ to identify the response companies that victims of cyber attacks should turn to. In 2014 this pilot scheme became a fully fledged certification service and actions like this by Governments can really assist Industry, not just when crisis hits, but also to practice in case the attackers do succeed.
That's my first effort* at making our businesses cyber-safe in 2015, but fully expect more headlines to come, just make sure you're not the story.
*Subject to change, but that comes with the territory.