By Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance
Given how commonplace cyber attacks have become on a global basis, the topic of cyber security is moving increasingly up the board agenda, and rightly so.
72% of large businesses in the UK said they had identified at least one cybersecurity breach in 12 months and 40% experienced a breach or attack at least once a month. Clearly, businesses are aware of the prevalence and potential damage that attacks can cause.
But how can they be sure that their
How long would it take you to identify a security breach within your organisation? Hours? Days? Months? The average is 101 days – that’s three months that cyber criminals have to exploit the sensitive data that they have acquired due to a flaw in a company’s security systems or processes.
Simple security measures are clearly not enough.
Alan Calder, Chief Executive of GRC International plc,
- Identify potential threats:
The first step should be to undertake a thorough risk assessment to highlight any threats that the organisation currently faces to its information assets. Any data that a company values, be that digital assets, offline content and employee knowledge, will also be valuable to a cyber criminal – they all require protection.
There are a number of risks that could impact an
2. Protect against attack:
The next step is to deploy tools to prevent the attacks, or at least reduce their likelihood or impact. These should take the form of technical controls, such as firewalls, as well as process controls, including policy changes. Detective controls can also be used to observe the environment to detect risk before it causes harm. This could include CCTV cameras or intrusion detection systems monitoring the network. Reactive controls can be deployed to take action in response to an event, such as locking down a particular area or encrypting data after a certain number of failed login attempts.
While technical functions are essential to keep information secure – it’s crucial to ensure any risks related to human error and process failures are not overlooked and a holistic approach is implemented to keep the
3. Detect breaches:
It’s true that not all attacks can be prevented, which is exactly why it’s essential to have robust detection mechanisms, such as reviewing logs and constant network monitoring in place to detect unusual activity. This way,
4. Respond to incidents:
Training is an important factor in an organisation’s cyber resilience strategy, so that in the event of a breach the right response can be followed to limit the potential fallout. Research suggests that over half of organisations do not have processes in place to appropriately train staff in this area. In the current compliance environment, where legislation such as GDPR requires all staff that handle personal data to receive appropriate training, and imposes strong penalties for organisations that don’t, this is a worrying statistic.
A Business Continuity Management Strategy (BCMS) will include a comprehensive plan that will detail who to contact in the event of a breach, processes for containing the incident, as well as how to keep the situation stable. With a step by step approach, the fallout from a breach can be minimised as much as possible to keep assets protected, and the organisation running at an optimum level.
It’s also important to record all available evidence and keep a log of response procedures to be reviewed at a later date. This is not only necessary to legally inform subjects that may have been affected by the breach, but also as an audit trail to improve the response process for future incidents.
5. Recover from attack:
Once the situation is stable following a breach, action should be taken to prevent similar incidents from happening again, or at least ensure that the incident will have a lesser impact in future. Of course, how an organisation recovers from an attack will vary depending on the nature of the incident and the company. For example, the Security of Network and Information Systems Regulations (NIS) dictates specific business continuity processes for certain essential services, such as transport, energy, health and cloud computing, to ensure the continuation of these systems in an effort to keep businesses, citizens and public services protected.
The BCMS should be comprehensive enough to enable an