I think you’ll agree when I say:
It is extremely difficult for your business to prepare for and recover from a serious cyber attack.
So what can you do about it?
Well, it turns out you can help mitigate the risk that comes from a serious data breach by quantifying risks with a robust risk management strategy.
In today's post, I’m going to show you some methods and best practice techniques that will help you define cyber security in your organisation and quantify risk by developing a solid cyber security strategy.
In a hyper connected world, it’s never been more important for businesses to prepare for cyber threats. This need was recently highlighted when the adult affair website, Ashley Madison, was hacked, with the hackers threatening to release sensitive customer and employee data unless the website was shut down.
As you may know, it’s impossible to fully guard against or eliminate cyber threats altogether but with an educated awareness and acknowledgment of the risks, and with the right policies, procedures and processes in place your organisation is capable of becoming cyber resilient.
So what is Cyber Resilience?
Cyber resilience is all about the management of risk.
The risks to data security are now so subtle, personalised and distributed that detecting threats and fully understanding these risks is becoming increasingly difficult.
According to research published by cyber security firm Damballa , it is estimated that up to 70% of all malware infections go undetected by antivirus software in the first hour of infection, dropping to 35% within 24 hours and just over 25% after 7 days.
The odds are, that regardless of how big your organisation is or what sector you operate in, your organisation will have suffered at least 1 security incident in the last year that went undetected.
How to Become Cyber Resilient
As mentioned previously, you will never be able to completely defend your organisation from cyber attacks.
Why is this?
If an attacker is determined to gain access to your organisations systems, then they will always find a way to breach your controls and cause an incident.
No matter how good your security and preventions are, there are always ways around them. A determined hacker with the right tools and dedication will be able to breach your security measures if they deem it worthwhile.
Having said this, it’s important to note that the stronger your set of preventative controls are the harder it will be for attackers to gain access to your data.
Stronger cyber security controls will result in a much lower frequency of security incidents because this will deter less determined attackers who are after an easy way in.
However, you should recognise that eventually your organisations security will be breached and you need to have plans in place to deal with these breaches. This is what cyber resilience is all about.
There are a couple of strategies that you could employ to help increase your cyber resilience and offer a robust level of infrastructure protection, these include:
Threat detection is vital in order for your organisation to successfully implement containment controls and implement your contingency plans. The sooner an attack can be detected, the greater your ability will be to contain the damage and reduce the impact to your organisation, employees and customers.
Having adequate measures in place to enable your organisation to effectively correct the situation after an incident has been detected is extremely important. Well-designed and thoroughly rehearsed plans and procedures will help to minimise the damage and mitigate the risk. Your ability to recover and reduce the extent of your exposure to a risk is vital in successfully protecting your data and assets.
Types of Attack
Cyber attacks don’t just come from organised criminal gangs though many of the biggest data breaches have been the result of attacks by these criminals. You will also discover that insiders, individuals who have been given direct access to your organisations information, will carry out attacks.
However, other data breaches may not even be considered attacks at all but the result of carelessness, poor procedures or inadequate training. While these types of data breaches are not malicious in nature, it’s still extremely important that the risks are considered and that your organisation has effective procedures for detecting, controlling and minimising the damage caused by this type of data breach.
10 Strategies That Will Change the Way You Manage Risk
- Define Acceptable Risks
Before you begin to develop any strategies to deal with data breaches and cyber attacks, it’s important that you define and understand the risks involved, and set your risk level based on your objectives. Understanding what are and what are not acceptable risks will help you to better develop strategies to cope with incidents when they occur.
- Develop Your Strategy
Once you have established a robust list of the risks to your organisations data, it’s time to develop high-level policies that should be used to help control, prevent and deter attacks.
- Design Your Management System
Once you’ve developed policies and procedures to deal with potential attacks, you will need to develop a management system/process, as well as the controls needed in order to deal with incidents when they occur. This should involve delegating responsibility for cyber resilience and making sure that everyone knows what they need to do, when they need to do it.
- Test & Transition
When you have your policies, management system and controls in place, you then need to thoroughly rehearse and test these procedures so that you are ready to act as soon as a threat has been detected. Once you have completed testing, you should begin to transition all elements into operational use.
- Operation & Continual Improvement
Once in operation you should continually monitor all aspects of your controls, detection methods and management procedures to ensure that cyber resilience continues to provide the level of protection your organisation requires in a constantly evolving environment. Remember, the pace of change is quick.
- Communication & Discussion
Keep cyber resilience at the forefront of your organisations operations and maintain discussions and communication between board members at regular meetings. It’s also important to document and communicate any decisions made with regards to cyber resilience throughout the organisation.
- Maintain Balance
Constantly review your controls in order to maintain the right balance between preventative, detective and corrective controls. A heavy bias towards prevention with insufficient focus on detection and correction is not a good idea. As mentioned previously, a threat that goes undetected for weeks, months or years can have a huge impact on your organisation.
- Inform Your Employees
It’s important to make sure that a balance is struck between a focus on technology controls and making sure that your employees are motivated, effectively trained and periodically reminded of the importance to be ready to respond to and take seriously any threats that are detected. As human error is often the cause for cyber weakness, you may also want to suggest your employees invest in a password manager; adding both complexity and length to company login information. Your investment in both security technologies and staff training will be wasted if one does not complement the other.
- Emerging Threats
It should be a priority for those involved in cyber resilience to keep up to date with emerging threats in order to ensure that appropriate and effective controls are in place to prevent, detect and/or deal with incidents when they occur. New threats to your valuable data and the security of your organisations systems emerge on a daily basis, so it is vitally important that you maintain an accurate knowledge base and risk register.
- Effective Training
Finally, the effective training of all those involved in designing, developing and maintaining your cyber resilience policies and procedures is vital. Adopting established standards and best practices will help incorporate the accumulated wisdom of many other organisations and individuals in to your own cyber resilience management system. Standards and best practice frameworks such as those listed below will help you gain a better understanding of how to evaluate and instate a successful and effective cyber resilience management system:
- ISO/IEC 27001
- ISO 27005
I’m sure you’ll agree that:
Successfully managing the risk involved with data and security breaches is of the utmost importance to your organisation, no matter how big or small it is.
In a day and age when everything and everyone is connected, 24/7 and when the personal and valuable data of your customers, employees and organisation is accessible to anyone in the world who has the determination to gain access, cyber resilience as a process and management methodology is extremely valuable.