Effective strategies for measuring and testing cyber resilience
In this Help Net Security interview, Detective Superintendent Ian Kirby, CEO of the National Cyber Resilience Centre Group (NCRCG), discusses the emerging cyber threats and strategies organizations can use to increase cyber resilience. He emphasizes basic cyber hygiene, security awareness training, multi-factor authentication, and stakeholder involvement at all levels in building a resilient organizational culture.
What are the most significant emerging cyber threats organizations should prioritize when developing resilience strategies?
There are a myriad of ways cyber attacks can be committed and tactics are continuing to develop as technology becomes ever more sophisticated. However, the most common attack methodologies still rely on compromised credentials, either through previous data breaches, default settings or phishing attacks. As such, basic cyber hygiene can protect from the majority of cyber threats.
By rolling out security awareness training (SAT) across an organization, staff can learn to question the veracity of emails and websites. SAT is one of the most sought-after cyber resilience services delivered through our talent pipeline, Cyber PATH, and something businesses are increasingly contacting our network about.
Likewise, by enforcing multi-factor authentication across an organization, it will ensure that even if an email and password is compromised it doesn’t unlock access to the organization’s systems.
How can CISOs ensure that cyber resilience governance is effectively integrated at all levels of an organization?
CISOs often have a very difficult job in persuading colleagues that cyber resilience is not just the responsibility of the IT department but a responsibility of everyone across the organization. The only way cyber resilience is successfully integrated at all levels is if each individual in the business feels some ownership over it.
It’s essential that CISOs can segment the audiences they need to reach and tailor cyber messages according to those audiences, from the newest employees to those at board level. To gain the interest and support of employees on the ground as an example, it can be helpful to make clear that basic cyber hygiene is of benefit not only to their work but also to their personal lives, and will help to keep both them and their families safe online.
Within every organization there will be key influencers at each level of the business. By making direct approaches to those individuals, CISOs can work out key motivators, understand any blockers and ensure they gain supporters business-wide.
What lessons have you learned from recent high-profile cyber breaches that can help improve cyber resilience in businesses?
Recent examples of successful breaches have shown the importance of knowing who (including software) has access to what within a business, and what dependencies that means the business has. This seems fairly straightforward to work out but when you consider that a supplier has its own suppliers, who have their own suppliers, the chain can appear endless.
Supply chain management is therefore becoming a wide-spread consideration for businesses. Large companies can have thousands of potential suppliers and each of those suppliers has the potential to be an attack vector.
Whilst this isn’t a panacea, one tactic businesses are implementing is to ask their suppliers to acquire certification, such as Cyber Essentials, as a prerequisite for doing business together. This is where our network of police-led Cyber Resilience Centres, located across England and Wales, is helping businesses in the UK. The nine regional centres work with smaller organizations in their localities to put in place basic hygiene requirements which, in turn, is helping to strengthen the supply chain at large. It is a new and innovative approach and is a model which is being watched with interest internationally.
How critical is stakeholder involvement (both internal and external) in developing a robust cyber resilience strategy?
The poem ‘no man is an island’ is very apt in today’s digital and interconnected world. There are very few businesses which are not connected to another in some way and so, considering cyber resilience in silo is both ineffective and unhelpful.
In putting together a cyber resilience strategy, businesses need to fully understand their internal and external dependencies. It is only by getting to grips with these dependencies that a business will be able to survive downtime in the event of a cyber attack.
If a business is a supplier of services to others, they need to be clear on their clients’ expectations and what their liability is should they be unable to deliver services on time or indeed at all.
Looking internally, businesses must agree whose systems are the highest priority to recover in order to ensure a smooth and swift return to business-as-usual. In many instances, it may not make most sense for system recovery to take place in order of seniority but unless businesses plan and map their approach, then this is most likely what will happen during a cyber breach.
How can organizations measure and test their cyber resilience readiness effectively?
There are several ways to measure and test cyber resilience, depending on the size, sector and maturity of the organization. Some organizations will have to comply with higher requirements than others or may have different levels of risk appetite.
The first question every business should ask itself, and be able to accurately answer, is: ‘What digital assets have we got and who has access to them?’ An organization could believe that it is resilient in every way but if it has a decade-old computer which everyone has forgotten about, running without any updates or patches, then that presents a significant security risk.
Organizations can acquire accreditations to help them publicly demonstrate the efforts that they have gone to in order to ensure cyber resilience and these also provide a level of outside scrutiny. However, they typically only provide a point-in-time measure which may become out of date if the organization introduces a new piece of equipment or software.
It’s advisable for organizations to put in place regular checkpoints throughout the year, in the same way they would test their fire alarms, to ensure any IT or cyber resilience policy remains effective and is up to date.
How important is fostering a culture of cyber resilience across all organizational levels, and what are some best practices for achieving this?
The risk to businesses from cybercrime has not diminished and businesses have to be prepared not only to thwart attacks but to respond effectively if an attack is successful.
It goes back to creating a culture where each person in the business understands that cyber resilience is within their remit and appreciates that they are a vital cog in the cyber hygiene machine. Security awareness training is key to this.
Every employee in every team must know how to report suspicious activity or emails and feel confident to do so straight away – rather than feel like it’s something they need to keep hidden for fear of being reprimanded.
Each department must also appreciate how a seemingly small breach or poor cyber practice within their own team can impact on the rest of the organization. As an example, it is not yet standard practice for organizations to view HR as a key stakeholder in cyber resilience – and yet it absolutely should be. Should an employee join or leave the company, it is HR colleagues who support with their onboarding and offboarding and navigate when access to the company’s systems is provided and revoked.
Cyber resilience must become an everyday consideration and conversation, in exactly the same way that health and safety has. Just as you would lock the front door when you leave the house, all organizations must be proactive in keeping their online house protected.