Cyber-Security: Going Beyond Technology

Cyber Security beyond technology: a White Paper write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021.

Why is cyber security beyond technology such a hot topic?

Cyber-security is an increasing threat that all sized businesses should take seriously. It is a topic that should regularly be on the board’s agenda.

A day doesn’t pass without a business being targeted via ransomware, phishing or DDoS attacks – all causing significant disruption to businesses. For some businesses it has been so bad that it’s affected customers and meant closure.

The destructive rise of state sponsored attacks mixed with organised ransom focused crime gangs has changed the threat landscape dramatically.

Most firms are global 24/7, and their assets are mostly digital. The current ransomware situation is dire. Huge due diligence needs to be taken within supply chains now, particularly when working with the government.

We fall like dominoes if we’re not careful

What are the main threats to today’s landscape? Due to the technological set up of industries today, the knock-on effect of digital disruption is now very large. For example, the US fuel pipeline issue effecting the entire east coast of America was down to digital disruption. The possible effects of digital disruption have always been there, but now the impact and knock-on effects are  massive.

Follow the Swiss Cheese Risk Model

In today’s threat landscape layers of cyber defence need to be in place today. Not one or two, but several layers. Similar to the model that was used in the aircraft industry: the Swiss Cheese risk model!

When Swiss cheese is sliced it has holes, and that’s ok. The problem is when several holes inadvertently line up – if applied to security measures – that’s when disaster can strike. The force magnification is one large risk rather than a few small risks at lower levels.

Clients increasingly want to understand the security measures taken by a business. This in turn means questionnaires, audits, hoops to jump through before business can be conducted.
Requirements need to be met.

Unfortunately, due to the increase in cybercrime over the last couple of years, it’s more a case of WHEN it happens than IF it happens.

Prevention is better than cure

Businesses need to start preparing for an attack, rather than preparing to handle one. If you are handling it, it’s too late and the financial damage to deal with it has already been done. The down time caused by having to deal with an attack can cost millions a day potentially. In this case prevention really is better than cure.

The consequence of a breach is not just dealing with the ransomware attack. It’s that it may lead to having to rebuild your whole IT infrastructure. You may need to move physical servers, migrate networks or change cloud systems. Things that take a huge effort but need to be done in a very short timeframe before you are out of business – days or weeks maximum. The Law Firm DLA Piper paid 15,000 hours of IT overtime as a result of their attack!

Smaller organisations still face huge financial impacts and disruption to both them and their clients. Firms must take care of client data too. Breaches of that data can impact reputation, as well as run the risk of potential fines and punishment that can escalate rapidly. Regulators, including the ICO are becoming increasingly interested in these types of events.

So, how can we avoid successful attacks? It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.

When will they come for you?

It may seem obvious, but most attacks happen when you’re most vulnerable – for obvious reasons. Particularly during long weekends and bank holidays. So, have a robust plan of how to record a risk, even out of usual hours. Once reported, a risk can be managed or monitored from there at least.

Escalation

It is a real struggle to get this message across to boards. If you’re responsible for security (not just IT but business issues, with IT holding a major stake) have a really robust, easy to use process so anyone can escalate an issue no matter how trivial it is. No, this does not include having to read a 500-page document just to submit a threat.

Stay in touch

A security manager would much rather be called with a minor issue to solve at 3am, than to not be told at all and find out a few days later that there is a huge security breach to deal with and very few options left. Have a robust submitting system. Ideally calling, rather than email, so that someone knows it is being dealt with.

Know all the links in your chain

Supply chains are often the biggest cause of problems. You need to ensure there are correct contacts in place for when issues arise. Who are your contacts? When are they available? Know in advance because you need an immediate handle on things when it hits the fan.

Even in large firms, the demand on digital tech security is not there in the same capacity as it is for physical tech security on a daily basis.

The more the merrier?

Companies tend to worry about the role of security if they have thousands (or tens of thousands) of staff. But in reality, the actual number of calls that come through to security as risks are very low, and 98% of those calls are well worth looking at.

The advantages of cloud vs. on premises

Data centres are highly complex – the building itself must be highly resilient. If you are reliant on one data centre or server room, sooner or later, they will go down. Generally, the cloud takes that risk away.

If done right, moving to the cloud shouldn’t be a barrier. But remember whichever you choose security isn’t a one and done deal. It’s a moving target – it needs to be managed, and the risks  monitored, all the time.

What are the risks with the cloud?

Are there additional risks in moving to the cloud? And if so, what can we do to mitigate them? The usual objections of moving to the cloud are security. But there is an argument that the cloud provider knows more about security than most businesses do – it’s their bread and butter.

Companies should be working on the basis that, at some stage, they may be hit – and should know what to do if that happens. There needs to be upfront planning and putting procedures in place.

The Regulators are watching

Regulators want us to take due care and attention of our client’s data. That’s why breaches cost the company. One of the first questions posed by the UK ICO is: Have your staff been trained? Most breach enforcement notices happen due to lack of training or management, as opposed to for the breach itself. This training needs to be demonstratable on an ongoing basis.

A security aware culture starts at the top.

The security aware culture starts at the top. That should be followed by various layers beneath – technology, end point protection, patching. The layer around staff is based in awareness and  knowledge to mitigate situations, as well as supplier due diligence.

There needs to be upfront planning and procedures put in place. There are philosophical decisions to be made before a security breach happens. You could well experience something that propagates. Your customers could also come under attack. Do you focus resources on protecting customers first or the business?

To best manage cyber-security risks, assume the worst-case scenario in order to avoid any unnecessary surprises – and prepare/plan for it.

Business Continuity has been put to the test

Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.

Businesses have done a phenomenal job to keep going. To keep people working from home.

A shortage of senior cyber-security professionals

However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.

QuoStar designed the CISO Service to address this problem

Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling and managing risk. Making sure the business’s security posture is strengthened.

Book your free consultation now. Find out more quostar.com/ciso-as-a-service

Fill out this form to download a PDF copy of this Cyber Security Beyond Technology white paper.

This write-up covers aspects of cyber-security, threats, actions to be taken, the risks of moving into the cloud, responsibilities, managing vendors and how to build a security aware culture.

If you’d like to attend one of our live webinars you can see the upcoming events in our calendar.