Mitigating The Impact of a Cybersecurity Attack on YOUR Organisation
I’ve been thinking (following three published cybersecurity breaches in Ireland – HSE, Ardagh Group , MyHome.ie in the past week), about what makes an organisation vulnerable to a breach and what an organisation can do to prevent it, or at the very least, remediate against it.
As we’ve seen this week, critical data is the lifeblood of all organisations. Immediate and prolonged loss of access to that data causes untold disruption and anguish.
An “ostrich” strategy (keeping our head down and pretending that it won’t happen to us) is not a viable strategy anymore. All organisations are viable targets for cybercriminal gangs, and they don’t care what the impact is as long as there’s a potential financial return for them.
Cybersecurity Budget!
I really need to talk about the “Elephant in the Room”.
It’s not going to be a pretty conversation, but it is imperative, because it’s probably the major contributing factor to the majority of cyber breaches (independent of whether they are related to loss of availability, compromise of privacy, or unreliability of systems or data).
There’s an excellent opinion piece in the Irish Examiner on 19th May 2021 by Dr Simon Woodworth on the relationship between cybersecurity incident targets and their budget allocation.
Using the recent breach to make the point, he argues that the HSE’s budget for cybersecurity should have been in the region of €12m-€36m per annum rather than the €2m currently allocated. I’d point towards the upper estimate given the sensitivity of the information that the HSE is responsible for, and the mountain of work that needs to be done to bring the HSE IT systems in general up-to-date and fit for purpose. So many valuable security resources are wasted in trying to secure out-of-date systems, applications, and infrastructure.
By way of comparison, in one of Ireland’s major financial institutions the CISO was mandated by the Board to spend more than 7% of the overall IT budget on cybersecurity. This was built in to the CISOs personal annual performance goals. This seems to me to be a reasonable budget to “get things done”.
HiFi Analogy
Most audiophiles will tell you that they reserve about 5%-10% of their hifi spend to make sure it’s dedicated to cables. Why? Because even the best electronic equipment and components will only perform mediocrely if poor quality cables are used. That being said, some low cost cables (1) are really great, but it’s not the norm. “Synergy” and “transparency” in their systems is the ultimate goal of all passionate audiophiles.
Similarly with cybersecurity controls – the best systems will continue to be vulnerable if proper cybersecurity controls aren’t implemented. Some cheap controls can make a huge difference (in risk reduction), but you need to ring fence a decent chunk of money to protect your digital assets.
As with hifi, we need to spend wisely on “synergy” and “transparency”. Controls have to work seamlessly and together to ensure there’s no latency or loss of functionality to the business, and to ensure that organisations can immediately take full advantage of new business opportunities as they arise.
Governance – What is “Good”?
A PWC webcast on 19th May titled “Managing Cyber Threats and Challenges” asked the question “What should Boards do?” and the general consensus was “They need to ask the right questions!”.
Using the 7% budget metric mentioned above, Boards should be asking:
- “How much of our overall/IT budget is allocated to cybersecurity, and how is that money being spent?”
- “What/Where are the measured risk reductions that result from our cybersecurity spend?”
- “How has our overall risk score increased/reduced (trend)?”
- “Are we meeting our targets for our strategic cybersecurity objectives? Are they still valid / When were they last reviewed?”
- “Has our Risk Appetite / Risk Tolerance changed, and what factors brought about that change?
Awareness
I think that it’s pretty much accepted that all employees and partners regularly need to receive security awareness training. Why? Because it’s much easier to hack the person than hack the system. (2)
The more I think about it, I conclude that training needs to be broken down, customised and targeted at different cohorts (based on risk profile and need) i.e. Board, Exec and Middle Management, IT staff, Business staff, Information Risk and Information Security management and staff (and perhaps even business partners that are critical to our continued operation).
Culture
As I talk to more and more great security people, the main reason that they leave jobs is that they aren’t receiving buy-in for cyber risk improvements from their bosses or their organisations. This is primarily as a result of the culture of the organisation (influenced by “tone from the top”). I vividly remember attending a presentation one time by the CFO of a major financial organisation who described cybersecurity spend as “a necessary evil”. I can only imagine how disheartening it was for employees working in security in that organisation to hear their role described as such.
Another memory is of the negative reaction of a CEO of an organisation to security management when a penetration testing team gained access to his email (trophy hunting).
Words and, more importantly, actions of senior people help define the culture of an organisation. Information Risk Management and Cybersecurity Management need the support of leaders who want to make their business enabled and successful.
“Culture eats strategy for breakfast” (Peter Drucker, made famous by made famous by Mark Fields, President at Ford). “The actions of the founders and executives speak louder than their words in the process of culture creation”(3).
What Should Companies Do Now?
I’m reluctant to use this week’s breaches to engender FUD (Fear, Uncertainty, and Doubt), so I have a very short checklist that businesses (and particularly businesses that don’t have extensive dedicated security teams) should consider:
Infrastructure:
- Are your systems up-to-date (updates and patches), being constantly monitored and managed, and are they being backed up (and how often are the backups validated, and how are they stored)?
- Do you have on-premises IT, Cloud IT, or a hybrid mix? Are your security controls adequate, and suitable for your IT architecture?
- Do you have anti-malware controls on your systems, on your email infrastructure, and on your staff end-points (i.e. PCs, Tablets, Phones)? Are alerts from these controls fed back to someone responsible for security?
- Have you carried out recent independent security testing of your infrastructure or applications?
Process
- Do you have a Disaster Recovery Plan (loss of IT systems or Premises), Business Continuity Plan (loss of access to critical data), and Incident Response Plan (Prevention, Detection, Recovery and Remediation) in place (regularly reviewed, updated and tested)?
- Are you comfortable that you know:
- Where your company data is being stored
- How it’s being protected, and
- Who has access to it
- Is your organisation just using UserID and static password to authenticate users?
People
- Do you have an information security policy that is applicable to all employees? Is everyone aware of what it contains, and is it being lived (i.e. does everyone follow it all of the time, and are sanctions for not following it applied)?
- Are your board, management, and staff receiving adequate security training at least twice yearly?
These nine bullet points aren’t a silver bullet for secure systems. They just get a business up to the minimum baseline. If you’ve answered NO to any of these questions, then I strongly suggest that you contract a specialist to help you understand and address these issues. It’s really not that complex. Cycubix are just one of a number of companies that can help you with this task if you don’t have in-house skills available.
If you can manage to get to the point that you can answer YES to all of the bullets, then you’ve already greatly reduced the impact to your business from a cyber attack.
Final word
While no organisation can 100% prevent an attack on their systems and data, they certainly can reduce or eliminate the impact of such an attack by having good preventative, detective, and corrective controls in place and by having up-to-date, tested plans and procedures in place to deal with cybersecurity threats, events and incidents.
(1) I’m currently using Duelund Coherent Audio DCA16GA “Vintage Tone” speaker cable. Fabulous cable at a great price
(2) Seven key psychological principles of social engineering
(3) Culture Eats Strategy for Breakfast
Richard Nealon, Senior Information Security Consultant @ Cycubix
All views expressed in this piece are the author’s own, and do not necessarily represent the opinions of Cycubix Ltd.