In my previous blogs I’ve taken you through the five stages of the cyber security journey — ‘Denial’, ‘Worry’, ‘False confidence’ , ‘Hard lessons’ and ‘True leadership’. And now I’d like to talk about how organisations assess the degree of risk their defences face.
There are three distinct zones at play in this space — named by our report as the zone of routine, the zone of surprises, and the zone of catastrophes — and, in my experience, businesses fall into one of the three.
This is the zone that you find yourself in when you’ve adjusted to the fact that cyber attacks against your security happen routinely. And, what’s more, your response to them becomes a matter of routine too. An attack happens and your controls deal with it; your Security Operations Centre manages the incident; and analysis and reporting reveal how often and how serious the attacks are. The cost of incidents is rising, but only slowly, and your expectation is that any consequent losses won’t exceed £10 million. It’s business as usual. You feel the cyber threats you face are observable and manageable, so the level of risk you face becomes customary and relatively comfortable.
In this zone, your mindset accepts and includes the fact that your cyber defences can be surprised by unexpected events. It’s possible to conceptualise these surprise scenarios because they’ve happened to other firms, and you can imagine a similar attack happening to your business. As a result, your cyber security involves working out how such attacks would affect you, and putting suitable defences in place. This may involve simulations to give your board a chance to play out high-impact scenarios, or calling in the ethical hackers to fully test your defences. Businesses in this zone know the cyber-security landscape is increasingly uncertain, yet also believe the events likely to take them by surprise remain within the scope of insurance, expecting annual losses of up to £100 million.
In the zone of catastrophe, the business fully embraces the scope of cyber attack to serve up the totally unexpected. In this mindset, you recognise that a new form of cyber attack may come along, something so catastrophic that it’s hard to imagine. And this, in turn, makes it difficult to accept it may happen to your business. Such events are rare, and extremely costly, bringing annual losses that run in excess of £100 million right up to £10,000 million. Dealing with the unimaginable requires a shift in thinking: what would push your business to the edge of existence? The answer to minimising these risks might lie beyond pure security measures and venture into the structure of the wider business, because the cause of the catastrophe might be something other than a deliberate cyber attack.
So what steps can your business take to prepare its cyber-security defences, no matter what zone of risk it’s in?
Your cyber security needs to be proactive, predicting where threats will come from and defending against them in an agile way. A key part of this is making the most of the intelligence at your disposal, from governments, partners and your global network. Your aim is to develop a situational awareness through actionable intelligence that will let you anticipate trends and patterns as far as possible. This, in turn, may cause you to shift risk zones.
Creating this intelligence-driven view involves not becoming overwhelmed by the sheer amount of data at your disposal. You’ll need the right Big Data analytics, intelligence sharing and automated remediation to sift out the crucial alerts you need to deal with. And you’ll also need to optimise your existing investments so that your solutions are compatible, and help you work towards a clear cyber-security strategy.
As you move to the cloud, your security needs to keep pace, being built into your design and decision-making. Right from the beginning, you need to evaluate, quantify and address risk and security across your cloud services. You’ll need an effective cloud security strategy that makes the most of automated monitoring, control and reporting. Consistency is vital in this, making sure you have the same level of compliance and data protection from all your cloud service providers.
Best practice frameworks are an effective way to assess your existing controls and, by aligning them with your compliance requirements, you can ensure you meet your objectives. Consider, too, using advanced analytics to proactively identify risk and maintain compliance across all your hybrid cloud resources. And remember that bringing on board a cyber-security operations centre can help you to manage and maintain your control points.
Start by getting the essentials right — focus on good housekeeping of the basics because this will address a large number of issues. Look at firewalls, anti-virus, patching, password security and backups. Focus on investing in protecting your most sensitive data, and make sure security is a responsibility shared by everyone within the business.
Build on this solid foundation by bearing in mind that compliance is far from a tick box exercise and that being GDPR or PCI compliant requires more than simply adding a new piece of technology in place.
From here, as your network evolves, you need to continue to review your security with fresh eyes, so you can continue to understand and protect your data in a compliant way. What will be helpful is mapping out your business’s data flow, including shadow IT, and then assessing and evaluating the security risks you’re up against.
Hopefully this has given you some food for thought. Why not download our report to get even more information on where your security journey could go?