Cyber resilience: A wishful term or an achievable reality?

Opinion by Paddy Francis

Implementing these security measures (below) will reduce the threat of an attack and help the organisation detect when an attacker is on the network so that security teams can focus on critical issues.

At a time where suffering a cyber-attack is considered the third most likely risk in 2018, many may feel helpless, perceiving cyber resilience to be out of reach.

However, understanding the key components that are required can make the difference in surviving a barrage of attacks, or buckling under the deluge. If the organisation can spot the signs and mobilise defences in a quick and efficient manner, it will almost certainly guarantee that the business comes out the other side virtually unscathed.

Many businesses under financial strain avoid robust systems, and therefore opt for a flat network structure as the norm. This leads them to installing only the most basic of preventive measures, such as an internet firewall. The benefits of this are the perception of cost effectiveness and the ability for devices and systems to connect with everything.

Though sound in principle the reality is that, should an attacker manage to scale the barricade and get into the network, they’re left unchallenged to move freely and undetected around the network. The negatives severely out-way the benefits here, but there are procedures that can be put in place to ensure the system does not become compromised.

What tools are available?

Any defence mechanism purchased should incorporate detection and monitoring capabilities - such as zoning and separation tools, as they will firstly highlight when an intruder is on the system and secondly, prevent the attacker from accessing other networks.

There are further steps that can be taken to deter an attack or make an intruder more vigilant, even on the simplest of systems. Start by separating all servers and user machines as this will create natural monitoring points. Then, to reduce the risk of servers becoming compromised, ensure application whitelisting is enforced.

To block potential command and control communications, direct access to the internet from internal servers will need to be removed. However, once an attacker is on a system, they will navigate through to exploit any weaknesses. So, to thwart any chance of lateral movement, it is imperative that all unnecessary communication between user hosts are disabled.

Implementing these security measures will not only reduce the threat of an attack but also give the organisation a fighting chance at detecting when an attacker is on the network. By filtering out these distractions, it will give security teams the time to focus on more critical issues.

Have a plan ready

Detection is only half the battle as the organisation needs to follow an incident response plan to guarantee the business remains resilient in the wake of an attack. This will involve clearly identifying responsibilities from each department (IT, marketing and legal) as well as any extreme actions that need to be taken; for example, disconnecting entirely from the internet.

It is also vital that the necessary stakeholders and boardroom executives are on hand if key decisions need to be made. It is recommended to have a designated Incident Response team within the company, but if you don’t have the budget or threat exposure to keep them occupied, it is important to have one outsourced and on standby.

If you have followed this security framework, then your organisation is on its way to achieving cyber-resilience. However, there is one crucial requirement that is repeatedly forgotten and that’s to test the plan. Only by testing the incident response plan to its most strenuous point will it give a clear indication of what works, identify any weaknesses that need to be addressed, and ensure that all the relevant information – for example team contact numbers, is current.

It will also help check that everyone within the business is working from the same page. This sort of validation exercise should be conducted at least once a year as a bare minimum, and only once its tried and tested will your organisation have a better idea of how to handle a cyber-attack.

Contributed by Paddy Francis, CTO, Airbus CyberSecurity.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews