Assess, Test, Scan, Repeat: Building Organisational Cyber Resilience (Guest blog by Vaultinum)
It has been argued that for government and industry to have any real effect in combatting cybercrime, their cooperation must reach the scope and scale of coordination not seen since the threat of global terrorism in the post 9/11 world. Yet, up until very recently, organisations were mostly left to deal with the consequences of a cyber-attack on their own. In the meantime, the scale and impact of cyber incidents escalated to the point where being a victim of cybercrime has become more a question of when rather than if. In fact, the CyberEdge 2022 Cyberthreat Defence Report found that more than 80% of UK businesses were the victim of a successful attack in 2021/2022.
The good news is that enhancing cyber security legislation and enforcement are firmly on the radar of governments around the world, from the modernisation of the EU NIS Directive and the implementation of GDPR, to the recently passed cyber security legislation in the USA, to the expansion of the Network and Information Systems Regulations (NIS Regulations) here in the UK.
Notably, UK NIS Regulations takes a page out of the counter-terrorism playbook by recognising that government alone cannot deal with the cyber challenge and to be truly effective, organisations of every size and sector must play their part. Pillar 2 of the NIS Regulations offers a broader response which encourages the exchange of intelligence, information and expertise between the government and private sector while also advocating proactive management of cyber risk.
Essentially, Pillar 2 of NIS addresses what the Centre for Strategic and International Studies (CSIS) found, in their fourth report on cybercrime: most organisations in the UK do not have a plan in place to both prevent and respond to cyber security breaches. Moreover, organisations continue to exhibit dissonance between their perception of cyber-attacks as a top risk and their approach to managing it. For example, in the same CSIS report, 38% of organisations surveyed attributed lack of user knowledge to the success of an attack, and yet, instead of enhancing knowledge and training staff, companies generally chose to invest in new or different software after a security incident.
So, What Can Companies Do Now to Build a Framework for Cyber Resilience?
-
Assess your policies and procedures to ensure they are up to the task.
All companies, big and small, need to assess their current policies and procedures to determine what cyber security controls are in place and what reinforcements are needed considering the NIS strategy. Chiefly, renewed focus on operational structures, cyber hygiene and best practices may have more impact than investing in new technologies to fill in any identified gaps.
Additionally, with 88-95% of data breaches due to employee error, a comprehensive cyber policy should prioritize activities aimed at reinforcing employees’ cyber reflexes. Thus, regular awareness raising campaigns and training exercises may be one of the most important factors in preventing cyberattacks.
-
Test the effectiveness of your cyber security controls.
While a cyber self-assessment will identify policy gaps as well as the presence of certain cyber security measures, the effectiveness of those measures must also be assessed on a regular basis. Knowing a cyber security measure exists is not the same as knowing that the measure is an effective control of cyber risk.
For example, your cyber self-assessment may indicate that your organisation encrypts data to ensure its communications are secure. However, not all encryption methods are created equal. A penetration test - an authorised simulated cyber-attack - can help identify any flaws in encryption, among other areas.
-
Scan your software to secure your digital supply chain.
The embrace of open-source software solutions to run business operations has transformed the risk landscape for most organisations. For example, when the log4j vulnerability was discovered, many companies were unaware that their systems were affected given that their software was integrated with other software that was often integrated with other software.
Organisations should take steps to understand the various pieces of code that make up their software by running an open-source vulnerability scan. This will inspect for security weaknesses in open-source software that can make a project more susceptible to attacks.
-
Then repeat, repeat, repeat.
As a society, we need to come around to the idea that cyber security, like counterterrorism, is never truly accomplished. Every day new technical and security breaches are discovered. Every business change can create unintended vulnerabilities. Every new employee, consultant or contractor is a new risk that needs to be managed. A hacker only needs to be successful once, while a company’s security measures must be successful 100% of the time - in an ever-changing threat landscape. The regular undertaking of cyber security assessments, including testing and vulnerability scanning, evaluating the results, and implementing improvements is thus an essential, and never-ending, process that should be adopted by all organisations dedicated to building cyber resilience.
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Upcoming events
Get involved
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.