Why Is Cyber Security So Hard?
Hardly a week seems to go by without news of another company suffering some kind of cyber-attack or data breach. In October Equifax admitted that almost 700,000 UK consumers had their personal details compromised following a cyber-attack. Whilst the latest attacks sent out fake adverts for web browser updates from a popular adult website that we’ve never heard of! Don’t worry the link is Safe For Work.
I read a lot of articles to research these blogs and came across a wonderful subheading on a site from a US-based company called CSO which seems to sum up the current situation:
‘When it comes to cybersecurity, why does it feel like everything is on fire all the time?’
The report asked 600 U.S. and UK CISOs and senior IT decision makers about the biggest challenges they face. Across the board, the majority report four areas central to cybersecurity are all at risk – resources, preparation, detection and overarching strategy – exposing their organisations to significant cyber threats.
So why is it so difficult?
There is no excuse around lack of awareness; everybody knows that cybersecurity is a big issue. It’s also big business. There are all types of cybersecurity solutions that you can buy such as antivirus, firewalls, email and web filtering, password managers etc. as well as all types of experts that can provide consultancy and support.
Unfortunately, nothing is totally secure – if thieves are determined enough things get stolen.
In fact, perfect security is pretty much impossible in any useful system.
“The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris, former Chief Scientist of the National Computer Security Center (early 1980’s)
“Unfortunately, the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang, former director of research at NSA (2009)
The problem is the complexity of systems, a lack of suitably trained cybersecurity personnel and the pace that new technology develops at. Whilst the Internet of Things brings amazing advances in functionality it also brings brand new security vulnerabilities.
These factors mean that effective cybersecurity is difficult and is likely to get more difficult for the foreseeable future. Indeed, attacks have become so common in recent years that the conventional wisdom within the cybersecurity community has shifted from a mindset of ‘if’ we are hacked to ‘when’ we are hacked.
But it’s not all bad news………………
It might seem that everything is going wrong, that nobody can stop the march of the cyber-criminal but that’s not strictly true. It might sound counter-intuitive, but we don’t actually want to see a narrative about things going right. In a mostly working system, a story emerges when something breaks. In a completely broken system, the story is when something goes right. This means we’re not completely broken.
The answer to why it’s so hard to get anything right isn’t really about everything going wrong. It’s a story about all the things that go right. Most organizations get more right than they get wrong. This seems hard to believe if you only pay attention to the news of the day.
The average number of attacks on individual company firewalls surpassed 1,000 PER DAY in November last year – if all of these got through the business world would have ground to a halt some time ago!
And, in the same way as shutting the windows and locking the door will put off the opportunistic burglar, getting the security basics in place WILL help ward off a large percentage of attacks.
There are a number of steps you can take to try and mitigate the risk as much as possible.
Risk assessment and data mapping
You first need to understand what data you have and where it is stored in order to protect it. This is the starting point of a risk assessment, working out what your most important/sensitive data is and understanding where it comes from, how it is stored, how it is processed and where it goes should help you understand what risks exist in your business.
If you don’t take this step (and you can work with external organisations to help you – we offer a FREE cyber security assessment for companies in the East Midlands*) it’s difficult to prioritise and you’re liable to focus on making the easiest fixes rather than targeting resources at what really needs doing.
Once you have identified your risks you need to implement controls. You could consider adopting one of the established frameworks for cybersecurity such as:
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. We believe that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does is to define a focused set of controls which will provide cost-effective, basic cybersecurity for organisations of all sizes.
The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs to be light-touch and achievable at low cost.
PAS 555 was released by the British Standards Institution (BSI) in 2013. While most guidance and standards identify problems and offer solutions, PAS 555 takes the approach of describing the appearance of effective cybersecurity. That is, rather than specifying how to approach a problem, it describes what the solution should look like.
In itself, this is difficult to reconcile against a checklist of threats and vulnerabilities but, in conjunction with other standards, it can be used to confirm that the solutions are comprehensive.
PAS 555 specifically targets the organisation’s top management and is deliberately broad in its scope. It is primarily intended as a framework for the governance of cyber security which allows executives and senior management to compare the organisation’s cybersecurity measures against the established descriptions at a high level. When implemented, this provides an ‘umbrella’ under which other standards and guidance can fit to flesh out the results described.
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organisation based on the risks you face and implemented in a structured manner in order to achieve externally assessed and certified compliance.
By fulfilling the requirements of ISO/IEC 27001, you will be fulfilling the majority of the requirements of the other standards and guidance relating to cybersecurity. Any remaining gaps identified by other guidance can then be plugged with a minimum of fuss.
It’s all well and good having the controls in place but you need to have a schedule to constantly evaluate that those controls are fit for purpose.
Where certification often falls down is that organisations become complacent once they have achieved it. In the case of standards such as ISO 9001 or Investors in People this might mean a bit of additional work to get back up to standard before the next assessment, but with cybersecurity this can lead to a breach, major loss of data and huge damage to the business both financially and reputationally.
Build in regular checks including control testing and penetration to make sure what you’re doing is still effective.
Plan for a breach
The best-prepared companies are shifting their cybersecurity strategies from focusing on outright prevention to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.
Planning for a breach means making sure you’ve got a disaster recovery plan in place and that staff know what to do in the event of discovering a cyber-attack. You also need to make sure you’ve got a robust back-up process in place, that back-ups have been checked regularly and that you know how to clean down your system and restore a back-up (if you’re going to be doing that yourself).
You also need to consider what the costs are of a breach or attack and consider whether cyber insurance is worthwhile for the organisation.
Cybersecurity is hard, but it is ‘doable’
The reason cybersecurity is hard is that management of the risk is a complex topic that requires substantial organisational involvement. It is not just the responsibility of the IT department or your outsourced IT support provider.
In a nutshell, the business needs to recognise the level of risk, plan and prepare for the worst. Without the risk assessment element, which people often miss out, then you are making decisions in the dark. You might be plugging gaps that aren’t there whilst leaving gaping holes.
Communication across the organisation is vital. Technology can only protect you so far and effective training of people is of paramount importance. This not only means those taking some responsibility for the risk assessment, controls, verification or recovery but EVERYONE in the organisation. Attacks that slip through technical solutions can still be prevented by knowledgeable staff recognising the threats.
If it all sounds a bit daunting get some help!
We can provide the technical solutions and work with approved partners that provide guidance, training, and consultancy.
If you’d like to talk to us about any element of cybersecurity or book a FREE cyber security assessment then please give us a call on 0115 822 0200 or fill in the contact form.