We have just witnessed two significant ransomware / malware attacks in as many months that caused a lot of disruption to businesses globally. Some like TNT are still struggling to recover at the time of writing this whitepaper (10-07-2017).
What surprised most was how organisations were caught out again with the second attack when it used largely the same exploit as the first one. Surely organisations would have learnt from the first attack and put measures in place to protect themselves? It would appear that this was not the case with many who were impacted. It is very easy to jump to conclusions that organisations are negligent when it comes to cyber security and got what they deserved. However, when you speak to these organisations like I have, you soon realise that they are not negligent, but are simply overwhelmed with what’s happening and simply do not know where to begin when their infrastructure, and as a consequence, their cyber security issues seem unsurmountable. The situation is further complicated by technology vendors and systems integrators alike that are promising shiny new tools to address new and advanced threats as a panacea for all ills without fully understanding the problem first. Trying to fit a problem to a technology solution never addresses the issue. It only provides a false sense of security and wastes limited resources.
Many of the organisations I have spoken to simply need to understand where to start and how to then go about addressing their cyber security risks. Within this whitepaper, I will try and outline some points to assist organisations on this journey by explaining the why, how and what of cyber security.
Let’s start with the why first in order to understand why we must address this cyber security challenge. There are two points of view to consider here:
- Internal – understand the value of your key information assets and the need to protect them. Understand what these are, what they are worth to you and how much are you prepared to spend to protect them. Then understand what controls are in place and what should be in place relative to the value of the asset. This is the simplest form of a risk analysis an organisation could perform. This process will highlight the vulnerabilities affecting your information assets as evidenced by any key controls that may not be in place
- External – this is the part most organisations miss. In order to protect your assets, you need to understand who is targeting you and why. Once you know this, you can then tailor your controls to address these threats. It is this understanding of your key assets, and threats and vulnerabilities affecting them that can allow you to derive a comprehensive cyber security strategy
Understanding why you need to address your cyber security challenges is a good starting point. Now we need to look at the how – how do we go about building a comprehensive cyber security strategy that will adequately mitigate your key cyber security risks.
Outlined below are the key things you need to consider when building your cyber security strategy:
- Risk appetite – how much risk are you willing to take as an organisation as defined by the Board and Execs. This in turn will drive the mitigation strategies you adopt to address your cyber security challenges. A point to make here is that your cyber security program should be closely aligned to your overall organisation risk management framework and program
- Governance – how do you want to manage and monitor the risks that impact your information assets? Document this and use this as a process to measure and report on your key information risks to the Board and Execs so that they have the comfort that the risks are being managed in accordance with their stipulated risk appetite. Many organisations struggle to provide meaningful business related security reporting up to the Board. Reporting on key risks and their management may be a good place to start
- Compliance – understand the compliance requirements on your organisation and build this into your cyber security strategy. Having compliance as part of your overall strategy is a cost effective way to address these requirements. Please note that compliance should be a part of your cyber security strategy – not the strategy itself. Compliance almost always sets minimum standards which may not be suitable for your risk appetite
- Policies and Procedures – document the ways you want to secure your key information assets in line with your risk appetite. These policies and procedures will form the security framework that will guide the technology that needs to be deployed to automate some of the desired security controls
- Technology – the technology that needs to be deployed to address the risks determined with the security framework outlined above
- Infrastructure – the underlying infrastructure that will support the technology and security framework deployed to mitigate the risks identified.
It is important to outline the steps above (and they are meant to be sequential) to highlight the fact that technology determination comes towards the end and not the beginning. Too often have I seen organisations adopt a shiny new toy to address a poorly understood problem only to result in the whole thing failing and the technology and vendor being bashed! If you use a hammer to drive a screw in, there is going to be only one outcome – and it’s not going to be good!
Visually the key considerations look like this:
Having looked at the key cyber security considerations, now let’s focus on a simple methodology that an organisation could adopt to define its cyber security strategy. This is documented below:
- Assess – define and document your organisations’ risk appetite, governance and compliance requirements to understand how and to what level will you be protecting your IT assets
- Define – define the scope of what assets you are looking to protect and how critical they are. The measure of the criticality of an information asset needs to come from the respective business owner
- Conduct – conduct a risk analysis over the assets in scope to determine what controls are in place and what controls need enhancing. There are many guides available such as ISO, NIST, etc. that can aid with this process. Couple these finding with a threat intelligence analysis of the dark markets in particular, to see who may be targeting you and for what. Bringing these two items together will provide you with a perspective of your threats (who is targeting you) and your vulnerabilities (missing controls), the combination of which will allow you to document an effective cyber security strategy
- Create – create the policies and procedures required to manage your IT security environment and risks. This will effectively provide the guidelines on what controls need to be in place and how to effectively document the security framework which are needed to make your cyber security strategy a reality
- Implement – now implement the technologies required to automate the controls in steps 3 and 4 above. Putting technology in this phase will allow you to address a documented business issue and not randomly deploy a new shiny toy!
- Maintain and Manage – manage the technology deployed and alerts that come out of it. Unfortunately most organisations do not look at the alerts in time (or don’t look at them at all) which is why the average time before a breach is discovered is still approximately 220 days! There is no point deploying technology that you will not use effectively
Once this process is complete, you will need to perform steps 3-6 in limited form at least annually to ensure that you stay on top of new and emerging risks. If the environment (your infrastructure, compliance regulations, etc.) were to change substantially, then it will become necessary to start from the beginning.
Visually, this is what the methodology looks like:
Having discussed the why and how, lets now look at the what. The process and methodology above can be a little daunting so I have defined the three things you should do to stay secure as a start below:
- User Awareness and Cultural Change – ensure that users are aware of their cyber security obligations and know how to spot and thwart attacks. Users are usually talked about as the weakest link in the security chain. By engaging in this process you can turn them into your first line on defence – the human firewall. Imagine the difference between an employee that will click on any link in a random email vs one that will notify IT and delete an unrecognised email immediately!
- Perform a Dark Market Scan – understand who is targeting you and why. Accumulate the evidence necessary to prove to decision makers that the threat is real and we need to take steps to bolster our defences. I am sure no one wants to hit the newspapers like TNT and Cadbury did! No one should stop the production of chocolates!
- Perform a Risk Analysis – understand and quantify your risks by looking at your key information assets and the controls that are in place. Benchmark yourself to standards such as NIST, ISO 27001, etc. and put a program in place to address your control weaknesses. Couple the outputs of step 3 with 2 and document your cyber security strategy.
It is fair to say that with the current environment, the threats and vulnerabilities will only get worse. The choice we have is to do something about this now or face the consequences of our inaction. Security is a journey, but it doesn’t have to be complicated. Focus on the why, how and what of security and stay safe.
Ashwin Pal is the Unisys Director of Security Services responsible for Unisys’s security business in the Asia Pacific region - https://www.linkedin.com/in/ashwin-pal-a1769a5.