Organisations are increasingly connecting their operational processes to cyber space, leaving them vulnerable to attacks that can cause serious disruption. Yet in a recent survey of CIOs undertaken by PA Consulting Group and Harvey Nash, only 37 per cent felt they were ‘very well positioned’ to deal with a cyber attack, and only 28 per cent were confident they could identify and deal with an IT security or data misuse incident originating from their employees.
As attacks become arguably easier to perpetrate (with malware readily available on the open market), and the potential damage caused by cyber attacks becomes increasingly disruptive, organisations must develop their capability to improve their cyber defences. The traditional approach to IT security, which focuses on the technical aspects, is only one part of the solution.
In order to protect their business assets in cyber space – including reputation, IP, employees and customers – organisations need to take an integrated and intelligence-led approach to cyber security that also considers the people factors.
Based on our experience, there are four key areas that need to be addressed:
1. Understand the cyber security risk in relation to your organisation and critical operations
An organisation needs to clearly identify its key business assets, such as the IP that underpins core products and services or its financial or trading systems. These may not just be inside the organisation, but may also include suppliers or partners. The relative risks to these key assets then need to be analysed (scanning social media is one way organisations can be more proactive in understanding potential threats).
This approach enables organisations to gain a broader understanding of how to tackle not just the IT challenges, but also people risk, the physical environment and information handling issues as a whole.
2. Integrate across personnel, technical, physical and information security – and make smart interventions to boost overall cyber security
In the context of cyber security, the adage that you are only as strong as your weakest link is particularly pertinent; it is important to consider your cyber security strategy as a whole, rather than in individual silos. In practice, many organisations have not taken even the basic steps to defend against cyber attack: for example, they do not have appropriate HR policies and practices, effective employee identity management, physical security and/or access control. Even basic IT management arrangements (such as anti-virus and patching) may not be fully in place.
Getting the basics right, identifying where additional interventions can resolve vulnerabilities and ensuring that defensive measures are properly integrated will protect against all but the most persistent forms of attack.
3. Establish protective monitoring to prevent and deter the ‘insider’ threat
Protective monitoring allows organisations to identify suspicious activity by employees (or ‘insiders’) and supports a positive culture to deter counter-productive behaviour. For example, employees who return to the office late at night to access systems unrelated to their role should be identified and managed. This requires the ability to correlate between systems, such as physical access control to buildings and the usage audit trail from systems to intelligently identify unusual activity.
4. Recognise that it is virtually impossible to resist all cyber attacks – plan for resilience
Achieving 100 per cent security is both expensive and impractical. Instead, organisations need to ensure that they can rapidly identify when an attack is occurring. Often the only indication is through customer experience and therefore the organisation needs to have intelligence on this in order to know when something is wrong.
Once an attack has occurred, it is important to have the skills and resources to quickly isolate problems, determine the level of investigation and response required, and maintain business as usual. The pursuit of attackers requires good system administration, forensic capture during an attack and a legal response prepared in advance.
To speak to one of our experts about how we can help your organisation develop an effective cyber security strategy, please contact us now.