“Good processes should include more transparent, structured, and fast-working cyber security systems”
As businesses and customers become more connected and digital-first, the need to protect cyber assets and personal information has become paramount.
Analysts estimate that by 2020, 60% of enterprises will be victims of a major cyber security breach. Whilst 74% of these attacks will be due to careless or uneducated employees, according to EY’s Global Information Security Survey 2017, the remaining 26% are often highly sophisticated attacks, which are difficult to predict, identify and defend against.
With Cisco’s 2017 Annual Cybersecurity Report estimating that ransomware is growing at an annual rate of 350%, it is vital to ensure that all business systems and processes are secure to protect against the next WannaCry, which cost the NHS £73m in IT costs in England alone
An organisation’s communication channels are often the first point of call for an attack, delivered via spam, phishing attempts or taking advantage of out-of-date software and now as businesses move to the cloud, this provides another avenue for attack.
So how can your business put adequate barriers in place to ensure that it is guarded against the newest cyber security threats?
Here are six pointers to bear in mind when looking to make UC security fit for purpose.
Maintaining a Strong CMDB
Keeping a strong, well-maintained, and effective Configuration Database (CMDB) is a concern for lots of companies. Many companies fail to maintain their CMDB and this makes implementing security controls and procedures more difficult and time consuming, encouraging mistakes and opening the organisation to attack.
Apply clear responsibilities and ownership of your CMDB and keep equipment up to date. The better managed it is, the easier threats are to prevent. Doing this is particularly important when upgrading infrastructure and for those in transition of modernising the workplace.
Continual Review and Optimisation of the Information Security Management System (ISMS)
Continued maintenance and review is the key to creating a well-oiled machine that won’t fail when it needs to perform. Continually review and optimise your ISMS which includes security policies and procedures, security change management control and review of the risk register. Adjust these on a regular basis relative to current threats and vulnerabilities.
Commitment to the Top Management
Often senior managers are concentrated on functions other than cyber security. They are oriented to company profits, financial results, and more, but often do not have a good insight into the risks that lie in a weak cyber security process.
Good cyber security requires financial resources to secure the infrastructure and sufficient staff to manage the process. These costs are frequently not seen as a necessity, especially if they are not highlighted when budgeting.
All risks must be presented to the senior management of the company, along with the consequences if the security is breached, including a robust assessment of the financial implications of a breach, as well as the reputational damage it will cost in the eyes of customers. With as many as one in four customers stating that they would never be able to trust an organisation again after a cyber-attack, the reputational cost is likely to be high.
Crisis and Incident Management
Security crises are not an exception but rather a rule, and any security incident is a potential crisis if it is not processed properly.
Incidents can be classified with different priorities depending on the protentional impact. It is extremely important that the different priorities are properly described and the employees who process them are well trained to provide a timely, correct and detailed response.
Security management systems generate different types of reports which we can use to analyse the cyber-security vulnerabilities in the company and to take remedial action and calculate the risk for the company.
All Priority 1 and 2 incidents in Unify, for example, are presented to the senior management regularly, and each Priority 3 or 4 incident is escalated to a higher priority if it is not closed within a certain period. Response time for the different priorities has to be calculated depending on the context of the organisation and its assets and capabilities, but in any case, when the incident is priority 1 the maximum reaction time is several hours.
For this process to be effective, we again turn to the CMDB theme. There are also GDPR implications if these issues are not raised in the correct timeframe and could result in fines of up to €10 million, or 2% of annual global turnover – whichever is higher.
When WannaCry and Meltdown hit the market the CMBD topic was highlighted, as for some companies the time that they needed to collect all assets that must be upgraded was longer than the actual remediation time. It is not uncommon to find a particular asset without clear ownership, especially in lager organisations, and this can present a serious issue if specific action need to be taken within hours of a cyberattack.
A crisis indicates an unstable and dangerous situation related to a large part of the company or the company as a whole, potentially damaging business to a great extent, and requiring the commencement of minute action. Unfortunately, many companies do not have an optimised crisis management process and staff training procedures.
Best practice dictates that everything needs to be clearly documented, crisis management is led by a member of the senior management team, and that teams meet regularly to update on actions and activity parts.
The company may also have external partners to consult during a crisis situation, such as a cyber security specialist, or governmental organisation with which to co-operate in order to master the crisis faster, and this needs to be factored in.
Don’t Just Stick to ISO
Most of well-known security standards or frameworks are not reactively designed and do not guarantee well-designed ISMS. ISO 27001 is a standard which main usage is informational security risk assessment, treatment and mitigating but contains many risk factors by itself.
Introducing best practices without any concrete technology, design or processes required, and describing procedures that delegate too much trust on the human factor in ISMS, ISO 27001 can leave many open questions and gaps in an organisations cyber security capabilities.
National Institute of Standards and Technology (NIST) Framework
The steps illustrated in this framework are Identify, Protect, Detect, Respond and Recover. But, positioning “Identify” as step one means the framework approach can be classified as a reactive only solution. “Respond” and “Recover” also contribute to the reactive nature.
Listing “Identify” at the beginning of the cycle suggests actions are started only in case of business impact. “Planning” is not a part of this high-level structure and can be a crucial step for proactive measures or in attempting to predict future issues.
Good processes should include more transparent, structured, and fast-working cyber security systems. Planning is also crucial. Good security officers should not wait for an issue to improve the security or to close themselves within borders of predefined standards like ISO 27001.
Instead, they need to plan daily, be able to respond to different environments, and create a cyber security focused culture across the whole business. If they do that correctly, then the business will give itself the best chance to defend itself against the next WannaCry.