The recent WikiLeaks revelations from stolen CIA records, the NSA leaks orchestrated by Edward Snowden and the audacious Stuxnet operation all highlight that technology is only one facet of cyber vulnerability. Indeed, technology alone is not the answer to cyber security. The human element remains key.
Organisations best positioned to defend against cyber threats are those that successfully blend technical and social security measures. This socio-technical approach requires focusing on both organisational processes and staff, empowering employees through knowledge and experience and supporting them with appropriate technical systems. Getting this right is a difficult undertaking. However, once technical and personnel security controls are synchronised, organisations will be equipped to maximise the benefits of operating in cyberspace whilst ensuring they are able to respond effectively when a cyber incident occurs.
As the leader of an organisation, large or small, what must you do to prepare? Allow me to offer the following suggestions:
UK Government: We are helping to protect the UK in cyberspace and deliver economic growth
Practice your incident responses – Weekly fire alarm tests are a normal occurrence in the workplace. Yet practicing for a cyber event that could severely impact the organisation is rarely, if ever, done. No matter how good your protection, a breach could occur at any time. How well the organisation responds and recovers will determine the ultimate impact. Preparations must be made for a successful breach at any time and worst case scenarios need to be tested. For instance, knowing who to contact in the event of an incident is as vital as knowing to dial 999 for a medical emergency.
Execute your response – Every situation will be different and slavish adherence to plans will lead to failure. However, an organisation whose leadership has taken the effort to plan and prepare will respond much more effectively and efficiently. Key here is how you communicate with stakeholders.
How well is your organisation positioned? Can you answer the following four basic questions?
An honest appraisal using these questions as a starting point will help you plan for the day when the virtual fire alarm sounds but is not a drill.
Cyber security is an arms race. Organisations must constantly be on guard and adapt as the threat evolves. A network will have multiple vulnerabilities but it also has multiple strengths in its users. Key to successful defence and response is acknowledging that a winning cyber security strategy extends beyond just the technical to include the human element. Understand that, and you’ll already be ahead of the curve.