Action Plan on Cyber Resilience Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Action Plan on Cyber Resilience

Guest Blog: The cyber resilience model

 960 638 Stuart O'Brien
By:
0
0

For too long, organisations have sought the holy grail of 100% Cyber Security. But security is never absolute; it is essential to understand that a breach is inevitable. It is the way in which organisations respond to a cyber security breach that is critical.

Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance explains the fundamental importance of creating a Cyber Resilient model…

Cyber Security Myth

Cyber security is defined as the state of protecting information from attack by identifying risks and establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable. 

Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93% of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required.

Breaches occur routinely – and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy.

What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact – a model that is predicated on achieving cyber resilience, not cybersecurity.

Cyber Essentials

To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards-based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.

At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.

Resilience Journey

This is, of course, an evolution. For smaller or start up business, a simple first step is to adopt Cyber Essentials, five basic controls which should prevent around 80% of Internet borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted web site be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details? Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.

Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement. 

Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi-layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.

Scottish Government outlines cyber security plans

 960 640 Stuart O'Brien
By:
0
0

The Scottish government has outlined its cyber strategy in a 48-page document – The Public Sector Action Plan on Cyber Resilience.

 The plan offers details to local authorities, Government departments and NHS boards on best practices for protecting themselves against cyber attacks. The Scottish Government fast-tracked the strategy in wake of the global cyber attack in May when 11 Scottish health boards were targeted by hackers.

 Discussing the plan, First Minister John Swinney said it would “encourage all public bodies, large or small, to achieve common standards of cyber resilience,” before adding: “I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats.”

 Some £200,000 is to be made available for organisations to assess, identify and improve cyber security issues, while ministers will also write to chief executives of Scottish public bodies to urge them to ensure all firewalls and security procedures are up-to-date with companies in public service chains asked to demonstrate how they have protected themselves.

 Colin Slater, head of cyber security at PwC in Scotland said: “To date we’ve been reacting to cyber security using frameworks that are almost 30 years old. That’s not representative of the risk we’re dealing with these days.

 “During that attack NHS trusts couldn’t take appointments, they couldn’t do imaging, they couldn’t prescribe drugs, couldn’t admit patients. The ultimate consequence is that you can’t deliver your public service.

 “Cyber criminals are brilliantly tooled up, they’re very dogged, they’re very very clever and they’re very fast and agile.”

 Dr Keith Nicholson, joint chair of the National Cyber Resilience leaders’ board’s public sector steering group, said by following the plan “Scotland’s public sector will be better protected against cyber attacks to the benefit of both the organisation and the citizens of Scotland.”