Building a cyber defence strategy
The rise of the internet over the last few years has revolutionised how we live and work, becoming an everyday essential. Our dependency on the internet is increasing and, unfortunately, along with convenience comes an acute rise in security threats. Recent, high profile news stories have shown that in this era of ever increasing connectivity; confidentiality, integrity and availability of data are paramount.
The threats are many and varied and the adversaries range from criminal gangs through hacktivists to state-sponsored cyber-attacks. UK Government estimates the cost of a cyber-security breach for small to medium sized businesses to be between £35,000 and £65,000. Beyond the financial liability other risks to business include loss of data and the subsequent impact on public perception; denial of service and the effect on business continuity; espionage and the loss of intellectual property; and criminal activity for financial gain.
A slow-burning attack
A well designed cyber-attack can go unnoticed for some time and the potential damage that can be inflicted on the victim is huge and the sophistication and technical prowess of these attacks is growing exponentially
Small and medium businesses suffer additional risk as they are frequently part of crucial supply chains. Sophisticated adversaries will seek to target the weakest link in the chain, often a less well protected smaller business, in order to gain access to a more a high-profile target. It becomes essential, therefore, for smaller businesses to fortify their cyber protections in order to maintain security within their industry. In the event of a small/medium business compromise leading to severe data, service or financial loss there would be negative repercussions, diminished reputation and disintegration of the essential trust from other members of the chain.
The three dimensions
When building on a cyber-defence strategy it is vital to look at an organisation from a high-level and separate it into three dimensions: people, process and technology. All three elements are key to cyber security but many companies place too much reliance on technology to provide protection on their networks. Whilst technology is a major element in a solid cyber defence, the technology becomes moot if not backed up by the astuteness of people using it or the processes in place to manage incidents and preserve assets.Risk management has long been a part of everyday business, so in the modern world combating the risk of cyber threats should be integral to the way businesses function.
Threat awareness is fundamental to assessing the risk of a cyber-attack and this awareness is central to the foundational elements of cyber security. A company that has a grasp of the foundational elements of information assurance will cut its risk significantly. Part of foundational security and an easy win for small and medium businesses is ensuring the appropriate training of employees; this falls under the people dimension of a cyber-strategy. The users are the front line of cyber-defence and if they are trained to be able to recognise abnormal emails or behaviour this could be the simplest and most cost effective way to prevent an attack. Creating a cyber-security culture in an organisation creates awareness across all levels, providing basic defence in depth.
However, detection is only the first step of a successful defence; communication, reporting and escalation are crucial in mitigating the risk. Invoking best practices and having the appropriate policies and processes in place is intrinsic. Reporting any major intrusions externally and to the authorities plays a key role in enriching defences within the industry.
Help for small & medium firms
There are many collaborative groups evolving within government and industry which provide support to small and medium sized businesses. These groups, such as CISP (Cyber-Security Information Sharing Partnership) pioneered by CPNI (Centre for the Protection of National Infrastructure), create an environment for businesses in the same industry or cross industry, supply chain or governments to share intelligence on recent compromises and vulnerabilities and provide critical information for partners to mitigate and prevent compromise.
In addition, a basic hardening initiative such as having a primitive visibility in to your network highlights the pivotal systems that need defending. Retaining basic network logs and toughening security of the network perimeter is a simple strategy which is complemented by enforcing a good level of security on endpoint assets. Maintaining up-to-date software and anti-virus is a sure-fire way to harden protections of endpoint assets and solidifying foundational technology security elements.
Where to begin?
The task of hardening one’s cyber security can appear daunting with many businesses questioning: where to begin? Seeking advice and following best practices is a simple answer. One example of this is the ‘10 Steps to Cyber Security’, developed by a partnership between BIS and CESG. This outlines the 10 basic topics to consider when managing the risk of cyber threats. Similarly, organisations such as IASME (Information Assurance for Small and Medium sized enterprises) outline essential security models to help small and medium sized businesses get to grips with cyber defence.
The simple fact is that the cyber threat will never abate; and as time goes on technology evolves increasing the tools available to savvy and versatile adversaries.
By continually addressing the three key elements of People, Process and Technology businesses can go a long way towards dealing with today’s threats and preparing themselves for the future.
Paul Weatherly is convener of the London Chamber of Commerce’s Defence and Security Group, and managing director of Lockheed Martin UK Information Systems and Global Solutions.
This article appeared first in London Chamber of Commerce and Industry’s London Business Matters magazine www.londonbusinessmatters.co.uk