Cyber security is a broad term which means many different things to many different people, and can often seem to be incredibly complex, expensive, and full of pitfalls at every turn.
But the truth is rather simpler – cyber and your associated security posture is a business enabler and should be viewed as such. It allows you to store both business and customer data safely, control access to your network, and prevent unauthorised people from viewing what is yours. It allows you to bid on certain contracts safe in the knowledge that your business can meet the security requirements of the contract, and allows you to comply with laws and regulations in the countries you operate in.
A cyber incident, on the other hand, can create fear – fear that you can’t do business, can’t keep cash flow coming in, and can’t meet customer requirements. Whether that’s setting up a new customer online account, or simply packaging and posting an order for delivery – each one brings its own challenges.
Ultimately though, it’s just another potential disruption to a business and should be seen in that context. Industrial action, floods, pandemics, power cuts and cyber incidents all cause disruption – we need to think of cyber security as a way to help you to continue operating in the same context, and build security into your overall risk management and business continuity thinking. And plan accordingly.
The Covid-19 pandemic has taught us a few things - how easily disrupted our physical supply chains are, how digital connectivity (from your home router to your business server) is close to being as critical as water, electricity and gas, and that home schooling isn’t as easy as it looks.
1. Make it a strategic priority
Making sure that cyber security moves from being an operational consideration to a strategic priority will help build resilience and shape a wider corporate culture around cyber security. Organisations who embed cyber security into the business strategy, and more importantly, embed it into the business lifecycle (and in turn its culture), where it’s seen as a core responsibility of all employees, are undoubtedly more resilient and alert to emerging cyber threats than those organisations who don’t.
Prioritising the importance of effective business continuity planning (BCP) – and a very pressing need to update, review, and rehearse it (bearing in mind we have all been living our BCP during Covid-19), with the assumption it’s not a work of fiction, is a very real, very important weapon in protecting your organisation when a disruption occurs. Sadly, very few organisations can demonstrate a full grasp of their exposure to cyber threats, along with effective response and recovery, let alone have the plans in place to mitigate the risk. As a result, responses remain largely reflexive rather than strategic.
And as increasing parts of our operations move into the cloud, this brings a new and different set of security challenges (just because you’ve moved to the cloud doesn’t mean you can avoid being a victim of ransomware). It raises a whole new series of questions and challenges; who is responsible for what, where is your business data actually stored and in whose legal jurisdiction, what is the threat profile and how do you prepare for it?
Adapting to this requires a thorough rethink of how you approach cyber security. Starting from the beginning is the key – over the years, your business network has grown exponentially, new capabilities, tools and assets have been added and your attack surface has almost certainly changed significantly overnight since the beginning of the Covid-19 pandemic.
2. Get the basics right
Improve and enhance any existing monitoring and reporting work. This is at the heart of becoming cyber-resilient - the ability to acquire, understand and act upon cyber threat intelligence, at speed and with finesse.
Going back to basics to understand what you have, where it’s connected, how secure it is and who uses it, gives a great overview on your level of cyber risk and maturity as a business. Understanding and reviewing your existing policies and procedures, your technical controls, and providing a monitoring solution which gives visibility over your network 24/7, provides a level of reassurance that any network abnormality should be picked up and isolated reasonably quickly (depending on how sophisticated the anomaly is).
Educating employees is a fundamental element of cyber resilience, showing how cyber criminals can lure you in to clicking on a malicious link - what to look for and how to report it is key. This can also benefit their personal lives, giving them confidence to educate their own family and friends on how to navigate safely online.
3. Don’t get caught out
Plan for it as if it was a ’definite’ not a ’maybe’. The most resilient organisations are making sure that threat scenarios are regularly explored and then rehearsed for – and the lessons learnt captured and documented. Responses, roles, and responsibilities should all be clear and so familiar that they’re second nature across all levels of the organisation. Collaboration across divisions as part of this ’gaming’ process is crucial. Successfully responding to a cyber threat isn’t just the job of IT security, it’s the job of every single individual in an organisation too.
One of the principal reasons why security breaches occur isn’t a failure of technology or software, it’s people. From leadership who aren’t as fully up to speed as they should be on the need for investment or the associated risks, to individuals with insufficient training, to facilities that are unsuited to home working, or organisations that don’t provide the right upgrade at the right time.
This is perhaps the most crucial. The perception of resilience is as important as the resilience itself in deterring attacks and limiting them when they do occur. Being thought to have been ’caught out’ – through lack of preparation or systemic failure – is as detrimental to shareholder value as the security breach itself.
There’s no such thing as 100% secure, it’s better for organisations to accept and understand this – and prepare for the worst-case scenario. There’s also no such thing as a silver bullet for cyber; cyber resilience is about blending usability, functionality, and security to give an appropriate level of protection. Most organisations suffer security incidents every day – better to focus on incident management and response, and maintaining business continuity, than to pretend it will never happen.
Making the solution the responsibility of every part of the business, not just IT – lies at the heart of cyber resilience.
Get in touch with one of our experts.
Mark Roberts
Capita Consulting, Partner – Defence and Cyber
Mark is a Partner in Capita’s Consulting business. He joined in January 2020 with specific responsibility for developing business for Capita Consulting in the Defence and Cyber Security markets.