At the 'Priorities for Cyber Security in the UK' event in London today, delegates were advised by a number of senior industry practitioners on how they might evaluate and respond to the risks they faced, from doing the basics, to ensuring that you don't ignore the other 80 percent and just let people 'walk in'.
So, what steps should be taken to make cyber-security easier? The first speaker, a consultant, defined the role of cyber-security as protecting your ‘stuff', be that data or an industrial plant, from being put under the control of malicious others.
Citing a Cabinet Office survey of the FTSE 350, it was noted how cyber-security awareness has risen and responsibility when it comes to incidents lies with the board. However, 58 percent still expect an increase in attacks, and 48 percent are worried about third and fourth party suppliers. It is noted that there is some good government advice and guidance such as Cyber Essentials and the NIST framework from the US – but there aren't enough people to interpret the data. Compliance with such guidance, however, is clearly not enough and you must take a risk based approach and focus on particular areas.
People accept they will be breached and its ability to respond and recover that is in now key; identify your crown jewels and defend appropriately; know what are the ‘crisis causing services; secure your supply chain; secure your mobile data – by putting limits on risk where it can't be secure (for example, expenditure limits). And there is increasing concern over privacy and data regulation and fines coming from the EU – with the fear that a global organisation could be hit for a percentage of turnover by an aggressive regulator due to an error in a small branch office somewhere in Europe.
Much has been learned from data breaches and this includes the following requirements:
- The basis are still important – like patching and applying product updates.
- Training your staff with consequences to change behaviour.
- Scenario planning (playbooks), incident response, and testing.
- Agility for APTs – low and slow threats. This is where technology comes in with great systems to monitor what is normal and spot anomalies.
- While-list safe web-sites for staff use.
- Role-based access control (not individual-based)
- Use all resources to respond to a data breach including IT, PR, corporate communications and HR.
The second speaker, a leading defence contractor, focused on the 20 percent of attacks not tackled by doing the basics. He noted how it's not a level playing field as the bad guys change the rules during the ‘game'. Information sharing was highlighted, including the role of CBEST, along with the need to be intelligence-led, noting that a data feed is not the same as intelligence. IT departments are not used to dealing with intelligence. But it's important to know who you are up against and what they want.
The second quality companies need is to be thick skinned and robust. Protection does not stop attacks. But the basics filter out the easy stuff to provide time to deal with and slow down the persistent attackers. And it is their persistence and focus rather than cleverness that delivers their successes. They check for weaknesses and get in via the seams between technology and people. Hence defence in depth is needed, and perimeter approaches are outdated, though ID is an increasingly important issue and needs further advances. Check your resilience using testers using the same techniques.
The third quality we need is operational awareness which requires integrated live monitoring of our networks, systems and people in real time to provide situational awareness. The 80 percent is more a challenge of implementation – IT funding and delivery, knowing our estate, and monitoring, being compliant – which can result in having what you are supposed to have, not what you need. Cross border operations are even more difficult to comply with as it's so much work. And while the focus is on this 80 percent, anyone who really wants to get in still can. And its even harder for small organisations. And if you can't do it, you shouldn't try, you should get someone in who can.
Key priorities suggested included:
- Be clear who is responsible. On what information are they making their decisions.
- Understand the size and shape of the risk in your own organisation.
- Make an active decision about what you care about, and how much you're willing to spend to protect it.
- Be robust, don't be an easy target and have as much focus on detection and response as on protection.
- Align your security strategically with the rest of the organisation. If it blocks the rest of the business, it doesn't happen.
The event was held under Chatham House rules, meaning comments cannot be attributed. Attendees included CISOs from UK critical infrastructure and private companies, legislators, standards and regulatory authorities, leading industry suppliers as well as sector specialist consultants and legal firms.
More analysis from this event to follow