According to Barracuda Network’s recent report, one-in-10 businesses don’t have an incident response plan. We hear from industry experts Alex Coburn, CEO of ThreeTwoFour, a Node4 company; Simon Howe, Area Vice President for Australia and New Zealand, ExtraHop; and Andre Cilurzo, Managing Director, Protiviti, about their thoughts on navigating cyber-risks through security policies.
Barracuda Networks, a trusted partner and leading provider of cloud-first security solutions, recently published a CIO report, Leading your business through cyber risk, which explores the top governance challenges facing companies trying to manage cyber-risk and boost their cyber-resilience.
Leveraging data from the international Cybernomics 101 study, the report assesses how challenges relating to security policies, management support, third-party access and supply chains can undermine a company’s ability to withstand and respond to cyberattacks.
Among other things, the findings show that many organisations find it hard to implement company-wide security policies such as authentication measures and access controls. Half (49%) of the smaller to mid-sized companies surveyed listed this as one of their top two governance challenges.
Further, just over a third (35%) of the smaller companies worry that senior management don’t see cyberattacks as a significant risk, while the larger companies are most likely to struggle with a lack of budget (38%) and skilled professionals (35%).
Many organisations have concerns about a lack of security and control over the supply chain and visibility into third parties with access to sensitive or confidential data. Around one-in-10 don’t have an incident response plan to turn to in the event of a successful breach.
“For many businesses today, a security incident of some kind is almost inevitable,” said Siroui Mushegian, CIO, Barracuda Networks. “What matters is how you prepare for, withstand, respond to and recover from the incident. This is cyber-resilience. Advanced, defence-in-depth security solutions will take you most of the way there, but success also depends on security governance – the policies and programmes, leadership and more that enable you to manage risk. When NIST updated its benchmark cybersecurity framework earlier this year, it added security governance as a strategic priority.”
Alex Coburn, CEO of ThreeTwoFour, a Node4 company
Many businesses make the mistake of thinking that because they have invested in security products, they have a robust security posture. It doesn’t matter how much money you spend on the latest technology, unless you have an end-to-end understanding of your critical data, processes, and systems and how to protect them, you run the risk that your security capability is not addressing the actual threats to your business and is therefore not commensurate to your risk profile.
Organisations need to build a holistic approach to security that is not only focused on technology but also considers people and processes. A simple way to consider end-to-end security is by focussing on four major strategies or streams of security activity:
Prevention
Preventative strategies don’t have to cost the earth and businesses often already have the most valuable prevention asset – people. Awareness is not the only prevention strategy, far from it, but an awareness campaign will educate your employees about their role in protecting the organisation and its assets. Interactive strategies such as an annual ‘Cyber Week’ have become common practice to keep staff engaged. Additionally, conducting phishing exercises can provide a good assessment of how well employees understand and apply their security responsibilities.
Detection
Detection is a base camp requirement for navigating cyber-risk. If you don’t know that a bad actor is in your system, you can’t act. Technology is a key component of detection due to the complexity and the resources required to identify intruders. Organisations often turn to an outsourced Security Operations Centre (SOC) that can use AI and third-party intelligence sources to provide 24/7 monitoring and alerting on potential cyber incidents. Outsourced SOC services are popular as they can provide economies of scale that make them more cost-effective than building your own 24/7 service.
Response
The key to successful response is practice. Should the worst happen, there will be a sense of urgency verging on panic that risks clouding your judgement, so, if you don’t know how to respond, it will take twice as long. Regularly practising your organisation’s response will give everyone confidence in their role within that situation. Often during these practice runs, obstacles or other weak areas are identified, allowing time for these to be ironed out before the practice is put into reality.
Incident response exercises can take many different forms, but we have always recommended a holistic approach that include different parts of the business. Technical IT teams, compliance, risk and the executive leadership team needs to understand their responsibilities by partaking in the exercise because each of these groups of stakeholders have a role to play in cybersecurity incident response.
Recovery
The ability to recover is the final and arguably most crucial step – without it, you can’t resume business operations. A great recovery strategy is the 3-2-1-1-0 rule – have three copies of your data, two media types, one copy held offsite, one on immutable or air-gapped storage and zero backup check failures.
Following this rule means that, if you were to suffer a ransomware attack, you will have at least one dataset that will enable you to recover.
Addressing these four steps will not, in and of itself, make any organisation inherently secure. Risk and threat profiles differ widely. However, by covering these four capabilities, businesses can build a solid foundation for selecting, tailoring and maturing a security control environment.
Andre Cilurzo, Managing Director, Protiviti
The structuring of information security policies in companies is essential, not only to establish data protection guidelines, but also to guide the planning of actions, investments to be made, and the necessary efforts to reduce the risks of information leakage and hacker attacks.
Well-structured information security policies rely on guidelines, not technical specifications, to:
- Identify and prevent threats and vulnerabilities
- Direct the identification of crown jewels (critical assets for the operation of the company’s core business) by identifying processes that ensure the company’s operation and do not interrupt revenue-generating activities
- Establish security measures based on risk assessment
- Provide guidance on data discovery and classification of critical data
Furthermore, policies should be reviewed annually, as the threat landscape constantly changes and new threats emerge daily, requiring companies to adapt their strategies as the threat environment changes.
It is also essential that cybersecurity awareness based on policy empowers professionals to recognise and report such threats to the IT or information security team in case of situations outside their routine.
The adoption of secure practices in technology use by professionals necessarily involves everyone’s understanding of the risks associated with sharing information, the misuse of access credentials and handling information contrary to the information security policy.
Ultimately, a robust information security policy that reflects the business model. Combined with current industry regulations, it will enable the adoption of assertive and effective prevention measures for risk management and quick responses to incidents, strengthening your reputation and demonstrating commitment to protecting your customers and partners.
Simon Howe, Area Vice President for Australia and New Zealand, ExtraHop
Achieving an alignment between cyber-risk and security policy expectations requires several steps. Each builds on the other and ensures that the IT security policies in place are the most appropriate for the organisation. The required steps include:
- An initial review: The first step is to carefully review all the components that, together, create the organisation’s IT infrastructure. This includes everything from applications and databases to servers, networks and client devices.
- Check data flows: Organisations need to review how data is transmitted, both within the business and externally, to uncover where any weaknesses might exist that need to be addressed.
- Examine cloud resources: As businesses increasingly make use of cloud-based resources, it’s important to remember that the job of securing those resources is not left to the cloud provider. Review all usage of the cloud and ensure that appropriate layers of security have been put in place.
- Determine acceptable levels of risk: Regardless of how much is spent and which security measures are implemented, there will always be a persistent level of risk. For this reason, it’s important to determine what level the business finds acceptable and whether this is the level that currently exists.
- Manage that risk: Once the level of risk is understood, a strategy for its management can be developed. The security team can work to avoid risks, accept some risks, mitigate risks, or transfer risks. This can be achieved by engaging an external specialist to manage security tools and other measures.
- Conduct what-if scenarios: Once acceptable levels of risk have been identified, and measures put in place to maintain them, it’s time to run some what-if scenarios. This involves considering what the impact would be on the business if a particular event occurred. These events could include ransomware attacks, data theft, or malicious activity conducted by an insider.
In addition, an effective measure which businesses can take to lessen its chances of falling victim to a data breach is to implement the measures outlined in the Australian Cyber Security Centre’s Essential Eight security guidelines. These clearly map out the steps an organisation should take to improve its level of cybersecurity and includes areas such as deploying Multi-Factor Authentication, undertaking patching of operating systems and applications and conducting regular data backups.
Once implemented, they enable an organisation to have a much better chance of withstanding most of the IT security threats they are likely to face.
