PART TWO: Securing Your Assets – Where Do You Start?
Today’s most sophisticated IT departments are still struggling to prioritise their security defences across ever-growing landscapes – from users and endpoints to perimeters and applications. With so many new solutions and threats, it’s hard to get to grips with how to secure assets and more to the point, where to start.
‘‘The secret to getting ahead is getting started.’’ Mark Twain
Many CIOs may not know what their biggest risk is, but chances are they know what their biggest fear is! At KHIPU, we work with some of the UK’s largest and most public-facing organisations – some of which have a very high profile on a global scale, leaving them more susceptible to hackers. KHIPU works closely with its clients to identify the threats posed to their networks – where, when and how. As soon as we start working with a client, we recommend they answer a short series of questions prior to conducting a risk assessment and network audit specifically tailored to their organisation and network – it’s important to remember, no one size solution fits all.
Here, we share this list of things to consider when starting to define your cyber security strategy or reviewing your existing one. Simple as they might sound, they are extremely important to understanding not just the network itself and the business goals of the company, but also the industry and market context as well.
- Work backwards
Sometimes it’s easier to start with the end goal and prioritise your strategy from there. Understand success and failure – know exactly what success means to your team and that of your board. Use external references, such as Cyber Security Essentials and industry frameworks such as JISC, to help put this into context. Every organisation is different and depending on your business type, you’ll each have a varying risk appetite.
As Rob Spalding, Head of Infrastructure, Anglia Ruskin University, explains it:
“Using JISC’s vulnerability assessment service enables the University to have a pro-active approach to cyber security. By having an automated solution that not only identifies vulnerabilities before they can be exploited, it reports on which systems will be affected and what actions need to be undertaken to protect them. This automated approach is vital in the defence against cyber-attacks. The service, provided by KHIPU Networks via the JISC VAS framework, has been an immediate success for the University, with a quick return on investment.”
- Get to grips with your data and where it resides
This is critical – if you don’t know what you’ve got, how can you protect it. If you haven’t already done so, we recommend a thorough audit of all your data, and the implementation of an ongoing data management policy to determine what data is kept and where. This will also help to keep you on the right side of the regulators.
- Keep up with industry regulations
Make sure you have a solid understanding of the regulations and guidelines in the markets you operate in – for example, the introduction of GDPR in Europe can play a big part in your risk threshold and overall security strategy.
- Understand the impact
Heavy fines are not the only thing at stake for an organisation suffering an attack or breach – for most businesses, the ability to withstand reputational damage from these situations can be just as detrimental as the fines – would a data breach headline break you?
- Stay up to speed
Why does it take some businesses so long to notice they’ve suffered a breach? What steps can you take to proactively check? What’s the impact (financial and reputational) of missing an attack? How can you even know when your network has been compromised? It’s not enough to invest in new technology to defend against attack. You also need to ensure you have robust breach detection, investigation and reporting procedures in place. If you don’t have the resources to be constantly on the lookout for a breach or attack, then consider partnering with an expert like KHIPU who operates a Security Operations Centre to offer continuous network monitoring. This way you can make use of the most up-to-date technology and trained professionals to detect anomalies and breaches.
As we’ve said before, there is no one size fits all solution for cyber security. Cyber-crime is a serious business and fraudsters are not going to stop trying to access and steal valuable data as long as they can continue to sell it for financial gain.
According to the 2018 Cyber Security Breaches Survey, almost half of UK businesses fell victim to cyber-attacks or security breaches in 2017, with the most common breaches or attacks involving fraudulent emails, impersonation attempts, viruses and malware.
Source: Department for Digital, Culture, Media and Sport, UK.
What’s more, recent research conducted by the Ponemon Institute reveals that the global cost of a data breach has hit approximately £2.99m ($3.86 million), rising year on year, according to the Institute’s annual Cost of a Data Breach study.
Every business is different and needs to define a strategy that works for them rather than simply relying on off-the-shelf technology to deal with these ever-growing sophisticated attacks. For example, if you’ve suffered a data breach caused by a phishing attack, the knee jerk reaction may be to buy the latest anti-phishing solution to prevent phishing emails from getting through in the first place. In reality though, you need to take a step back and inspect the network, the users’ awareness and the data you hold more holistically, identifying any weak points in the network and ensuring they are adequately protected. An anti-phishing solution may just solve part of the problem or could be ineffective if there are bigger issues within your network.
‘‘Whether at home or at work, you have to be aware of the implications of cyber-attacks. Phishing emails are a huge problem to everyone – one way to help minimise this risk is by raising awareness of these types of attacks. At Ashford Borough Council, we successfully conducted a simulated phishing campaign that helped both our staﬀ in creating awareness and our IT team to understand its potential risk so that appropriate training can be provided. We plan to carry out regular campaigns and training to continually help raise awareness of this ever-changing cyber security landscape.’’ Tracey Kerly, CEO, Ashford Borough Council
In 2018, the UK government reported that more than four in ten organisations fell victim to a breach or attack, with the most common being fraudulent emails attempting to coax staff into revealing passwords or financial information or clicking fake links or opening dangerous attachments.
There are also common weak points and vulnerabilities – in most organisations, users are still the weakest link, and this is why cyber criminals continue to launch attacks targeted at exploiting human weaknesses as they have some of the highest success rates.
4 in 10 UK organisations have fallen victim to a breach or attack.
Source: Cyber Security Breaches Survey 2018, Department for Digital, Culture, Media and Sport, UK.
It’s not just about the technology, often there is an important user education piece that can go overlooked. If your employees are routinely opening phishing emails, then you need to ask why and put in place a training schedule to address this. Likewise, if your weak point is contractors accessing your network, perhaps you need to consider limiting their access or investing in two-factor authentication before allowing them onto certain parts of the network. With this understanding, it will be easier to identify the most vulnerable parts of the network and those most likely to be exploited by cyber criminals, and to prioritise spending and ensure any solutions you invest in are really helping to defend the business.
While these questions are an excellent start to understanding your network in its current state, we still need to delve deeper into the types of vulnerabilities on your network to get a full picture of how to protect against them. Join us next week to get down and dirty with your weakest links.