The road to Cyber Resilience starts with a lot of learning. Until now, most organisations have relied on their firewall, anti-virus and email protection, thinking that these were enough. They are of course, very important.
But it is a new era and these “traditional” defences cannot be fully relied on to protect your systems. A combination of factors needs to be considered to understand the imperatives that face technology dependent organisations. The perpetrators of cyber-crime:
now have increasing criminal intent and the monetary incentives are staggering
are often working from geographical locations which make them untouchable by law enforcement
now have an arsenal of advanced techno-weapons specifically designed to penetrate ineffective defences.
Traditional intrusion defences now only form part of a successful defence strategy; new measures have to be considered.
We have previously published articles about the Cyber Resilience journey. We now look at getting your IT systems into shape.
Where to start
An Information Security risk assessment (see our previous article) will get you thinking and heading in the right direction. Your organisation will have a lot of valuable data/information that needs protecting. You now have to ask yourselves a lot of questions about that data.
This exercise needs to be driven by senior management and engage your broader staff team, not just the IT team. Management will then be able to understand where data is stored, how it is accessed and the ramifications of having that data compromised.
Looking at process
The next stage requires you to avoid the temptation to jump straight in and create technical solutions. Documenting your organisation’s policy framework (see our previous article) is foundational in helping to understand what you have in terms of information, systems and associated processes.
Start with an Information Security Policy and from that other documents and system investigations will highlight issues that need to be addressed and their associated remedial actions.
Some really simple changes
You should now be in a position to identify a bit of low hanging fruit.
For instance, many of your staff might have notebooks computers. The data on them could easily fall into other peoples’ possession through loss or theft; it needs to be protected. Encrypting notebooks is a very simple exercise ensuring that if any of them fall into the wrong hands, your information is safe.
Minimal research will show you that password complexity, or lack thereof, is a high risk area. Consider implementing a Password Policy that requires all staff to create secure passwords; better thought of as pass-phrases. Secure pass-phrases do not need to be overly complex or difficult to type.
Security assessment testing
To this point you will have learned a lot about your information, where it is and who has access to it, or should we say “who you think should have access to it.” Whilst you may have locked down internal access to highly sensitive information within your organisation, are you certain that no-one outside your organisation could get access to your information?
We suggest that you test how hard it would be for a determined hacker to “break into” your data stores. Chances are, you get excellent IT support from your Managed IT Services provider but they are not the right people to test Cyber Security.
You will need to engage an Information Security analyst who is an expert in Cyber Risk and Security. They will be able to identify vulnerabilities in your infrastructure that might enable a very determined and skilled hacker to penetrate your defences. Information Security analysts come with the attitude and expertise of a “very determined hacker” but they work in your best interests subjecting your infrastructure to the latest and most advanced hacking techniques.
Expect them to find some vulnerabilities. These then get rectified by your Managed IT Services provider.
Some basic principles
As you embark on a Cyber Security assessment we would like to share some insights with you.
More than anything else, the road to Cyber Resilience requires a change of mindset for everyone in your organisation. Education is a huge part of the process.
When it comes to Cyber Security, you need to look at much more than technical solutions. Policies, processes and education are the key to doing it right.
There is a huge difference between Managed IT Services providers and Cyber Security experts. You may be extremely happy with your services provider but they cannot be expected to have the knowledge of Cyber Security experts.
You may have industry leading firewalls, anti-virus and anti-spam protection deployed throughout. It is absolutely essential but it is not enough.
Keeping all your software applications up to date with the latest patches is essential.
Relatively simple changes to your IT configuration can make a huge difference to your level of security.
Do not underestimate how important it is to lock down your wi-fi. It advertises to everyone in the local vicinity that you are there and it could be the key to the front door.
By implementing Cyber Resilience it is possible to have a high level of confidence that your organisation’s systems are not an easy target for even the most determined hacker. But technology is changing constantly and the bad-guys are getting more determined and smarter. This is an area where we all have to be constantly vigilant. Nobody will be able to assume that they are at an end point in Cyber Resilience.