As most of you already know, October is National Cyber Security Awareness Month(NCSAM). The aim of NCSAM is to raise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector on how to stay safe online.
Given the opportunity, let’s talk about the UK’s cyber security clusters and how you can engage, participate, network and ask any questions that you currently have regarding your organisation’s cyber security posture.
In the UK, the South Wales Cyber Security Cluster is the largest cluster, as it has as many members as all the other clusters in the UK combined. The cluster has been formed under the umbrella of the UK Cyber Security Forum by a number of cyber security-focused businesses and information security experts.
The aims of the cluster are two-fold. Firstly, it is to support members by communicating national and international initiatives and trade opportunities; providing a networking platform to share ideas and best practices; encouraging collaboration; as well as identifying partnership opportunities for small cyber security specialist businesses in Wales to find new ways to grow.
Secondly, it is to support the Welsh government’s commitment to cyber security (and the UK government’s cyber security strategy) by building cyber security knowledge, skills and capabilities in the region, to make businesses more resilient to cyber attacks, and to make the region one of the most secure places in the world to do business.
So, our first tip for NCSAM is for you to find out when the next meeting is for your local Cyber Security Cluster and seize the opportunity to attend.
Boards of directors and executives worldwide have started realizing that cyber security is actually a prominent risk issue with devastating outcomes in most cases. Data breaches, compromised networks and significant loss of revenue due to security vulnerabilities is almost a daily story in the news, especially when it comes to high-profile targets that affect millions of customers.
The forthcoming GDPR is a regulation that focuses on raising the bar in the way cyber security is perceived worldwide and more specifically when it comes to protecting data being stored and transported within the EU but also for any business that stores EU customer data in geographic locations outside the EU.
A HOLISTIC APPROACH
There is no silver bullet when it comes to security, but this should not be used as an excuse when it comes to protecting the mission-critical systems of an organization. When it comes to cyber security, companies tend to narrow the scope and usually focus only on protecting selectively high-value assets to stay within their allocated budgets.
This practice has worked for years, but carrying it on to a fast-evolving threat landscape where systems and services are exponentially more complicated than before has already started introducing cracks, which are not easily spotted.
Effectively, trying to use security in an ad-hoc manner ends up being more expensive than anticipated and in most cases, creates a false sense of security. This kind of tactic only allows companies to turn a blind eye to what the real problem is. In fact, according to the Center of Internet Security (CIS), a significant percentage of cyber-attacks – up to 80% – can be prevented with just a few simple proactive measures and a preventive culture within the organization.
FOCUSING TOWARDS CYBER RESILIENCE
Cyber resilience may sound just like another buzzword being used by the information security industry. However, there is a deeper reasoning why cyber resilience is the way forward.
The first reason is that it’s a holistic approach for your organization’s cybersecurity posture. The second reason is the results of having a holistic approach when it comes cybersecurity, especially when it can reduce your expenditure and thereby allow you to stay within budget while upgrading at the same time to around-the-clock systemic visibility and real-time response.
An action plan to protect an organization under a holistic approach is not a trivial task. It is, however, feasible when the requirements are put into a realistic perspective and are broken down into individual steps.
Each department throughout an organization (IT, sales, finance, legal, marketing, HR, etc.) needs to come together and discuss their common enemy, which is none other than evolving cyber threats and cyber criminals. This can only be done when the organization’s cyber security posture is treated in a systemic way by identifying the gaps and risks across the whole business.
If necessary, consult an external cybersecurity expert who will review the organization’s cyber risk profile and assist the decision-maker to understand where they are standing. In some cases, this discussion starts with reviewing the results of a cybersecurity awareness assessment that leads to proper training and then breaks down to the specific needs of each department participating the review process.
DEVISE A PLAN
You can do this by hypothesizing attack scenarios; developing a good idea on what is exposed, what particular type of attacks can affect the organization, which devices are you high-value targets, and what kind of vulnerabilities are present; and assessing the impact in each scenario.
This process not only sets the foundation for constructing a proper response plan but also determines the recovery process within an acceptable time frame for the business. Furthermore, this process highlights any hidden weak points, vulnerabilities that slipped through the cracks, and most importantly, what needs to be reviewed further.
At this stage, engaging with a third-party expert allows for a faster, better and more effective adaptation to emerging cyber threats, reducing dramatically the risk of being targeted or even breached.
It is not possible to know for sure or predict emerging cyber threats and the effect they will have to the business (e.g. lost revenue, reputational harm, stock price decline). Having rough estimates provides a far more realistic idea to what is at stake, the consequences of unrealistic expectations, and up to what level risk should be considered acceptable.
The outcome at this stage will further assist an organization when it comes to deciding the right cyber insurance coverage. In the meantime, the mitigation strategy will involve all the necessary steps to determine what is the greatest threat depending on the particular nature of the organization; up to what level it can be mitigated; and how and what specific investments are needed in order to avoid unnecessary future costs.
Decision makers should take into account that security is not an off-the-shelf product and that more money being spent doesn’t necessarily improve security. Consequently, when it comes to investing in a solution, a product, or a service, what matters the most is how adaptive and scalable that solution can be in order to meet specific needs rather than introducing a false sense of security.
The secret in this stage is not to try to introduce solutions here and there to meet individual security and regulatory requirements that inevitably will increase the overall cost but approach the problem in a holistic attitude.
Utilize the expertise of third-parties and discuss how their solutions can assist in that challenging task; how adaptive they are; what kind of flexibility they offer in this fast-evolving threat landscape; what is the added value; and most importantly, how will it keep everything within budget.
Being able to become cyber resilient is a task that requires the efforts of many parties from within the same organization and often third parties. The aforementioned steps put into perspective what needs to be done today in order to avoid any claims or negligence following a potential breach, and display clearly the necessary due diligence in this era of fast-evolving internal and external cyber threats.
Most cyber criminals are opportunistic in that they target low-hanging fruit. The security industry’s professionals and experts are tasked with the challenging task of protecting a vast amount of heterogeneous information systems against a chaotic cyberwarfare taking place between threat actors and defending parties. By focusing on a cyber resiliency strategy today, security professionals can better defend what is already in place, provide them with the tools to detect and respond in real-time around the clock, and recover in the unfortunate event of a breach.
Find out how to protect yourself and your business: http://cyber.aspida.org