Written by Paul Whiston, DLSE Regional Partner and MD of Whiston Solutions Ltd
The DLSE April salon discussed the importance of Cyber Resilience, attracting a wide range of participants representing Government, public, private, academic and charity sectors. Digital Leaders SE was privileged to gain insights from Garry Bernstein – ABS Exchange Limited who has advised corporations and governments across the globe on cyber resilience.
Coincidently the day of the salon GDPR (General Data Protection Regulation) was ratified by the European Parliament – which places the onerous obligations on every business to communicate breach details with customers and other effected parties within 72 hours of detection – or face hefty fines.
Garry started by explaining that it is easier than ever to start a business, connect and trade with customers and build a brand and reputation at breakneck speed, these advances are accompanied by some new responsibilities: Managing Cyber risk and Ensuring Effective Cyber Resilience is just one but still eludes most business leaders.
Why is Cyber risk not joining other operational risks on the register at most firms?
The internet was built for connectivity and speed – security and protection however have arrived very much as an afterthought.
For criminals, rogue governments and mischievous actors, the App economy has become the ‘promised land’ of low risk and high rewards – offering borderless reach, assured anonymity and access to a community of defenceless victims who are ill equipped to fight back.
This issue is going to increase with the advent of the intelligent environment and the Internet of Things (IoT) that will even more easily connect us to everything we need – as well as everything we need to fear.
Garry then stated that a UK Government survey in 2015 estimated that 90% of large corporations and 74% of SMEs suffered a breach. With the average cost of a breach estimated at £1.4M – £3.1M for a large businesses and £75K – £300K for small businesses.
Cyber Resilience basically means shortening the gap between a realisation of a breach and fixing it – on average it takes businesses 200+ days to detect a breach – and over 3 Months to remediate!
Garry outlined his Ten Commandments to best address Cyber Resilience which was debated amongst the salon participants:
1) Develop and Practice Strong Cyber Hygiene:
- Cyber security is the responsibility of every single employee.
- Conduct full dynamic background checks of personnel to mitigate ‘insider’ threats.
- Implement robust passwords (unsurprising ‘Password123’ still tops the list)
- Ensure security of computing and communication devices, especially when travelling abroad.
- Train employees on email etiquette and ‘spear-phishing’ schemes – social engineered attached are increasing.
- Increase and demonstrate cybersecurity common sense as part of performance reviews.
- Utilise surveillance an malware detection software as part of a ‘Dynamic Defence Strategy’
- Assess the security needs for encrypted phones and devices.
2) Identify and protect your critical information assets:
- Identify and separately protect critical data and systems (ie what is valuable to you and thieves)
- Verify and update information governance processes with business stakeholders.
- Verify, validate and regularly test security systems to ensure continued protection of critical data.
3) Know and Secure Vendors’ networks:
- Limit access in accordance to need.
- Conduct diligence on the backgrounds of vendors with access and connections to your business an systems – Enterprise security is only as strong as its weakest link.
- Contractually bind vendors to security standards and protocols.
- Require vendors that provide critical data to disclose cyber incidents within 72 hours of occurrence.
- The latest version of ISO 27001: 2013 emphasises the management of information security throughout the supply chain.
4) Practice your Incident Response Plan:
- Engage with the board of directors, legal, marketing, technology department, HR to develop a cross-functional incident response plan and team.
- Retain outside technical, legal and public relations to be ‘on-call’ for the inevitable cyber incident.
- Identify and connect with contacts at law enforcement and your regulators before a cyber-attack.
- Focus on range, motivations and objectives of potential attacks (theft, denial of service, ransom)
- Comply with privacy laws and work with Legal counsel to protect the confidentially of the work.
5) Develop and Implement a Global Communications and Messaging Framework:
- Ensure that any communication plan covers all relevant stakeholders (employees, customers, regulators, and investors).
- Identify all regulators that will expect disclosure.
- Identify media and social channels for disseminating company information.
- Retain messaging experts to ensure a coordinated response when it is needed.
6) Test the Incident Response Plan and Update Regularly:
- Utilise a third party firm to conduct annual penetration tests to identify weaknesses in IT networks, infrastructure and employees compromising practices.
- Report the results to the board on a regular basis
- Modify the plan to reflect the results of testing – it’s a living breathing action plan on real world experience – surround yourself with experts who can inform and support it.
7) Develop a Cyber-threat Monitoring and Sharing Team
- Monitor cyber threats both internally and externally
- Monitor the internet, social media and dark web for stolen data and information of key executives and business operations.
- Test employee practices and compliance with security procedures.
- Participate in industry cyber threat sharing platforms.
8) Evaluate Cyber-security Insurance
- Assess the full range of risk and costs from disruption of services, data leaks, data ransoms and extortion schemes.
- Ensure that insurance cover maps to the cybersecurity controls, process, vendors and protocols in any incident response plan.
- Stay abreast of the market – Cyber insurance is still in its infancy and continues to evolve.
- Regularly review policy for gaps, newly available coverage and price competitiveness.
- Verify and validate that key partners have coverage.
9) Engage Privacy and Cybersecurity Expertise for all operational Jurisdictions
- Maintain industry contacts for information and threat sharing, best practice and solutions – CERTUK
- Maintain and update this knowledge on a regular basis
- Consult private council to ensure that cyber security solutions do not violate local laws.
10) Maintain Government Relationships
- Know the key agencies and personnel in the jurisdiction in which you do business – their expertise and intelligence can be invaluable.
- The time to forge such relationships is before a crisis – not after a cyber security breach.
Conclusion:
Everything we need to better understand, monitor and manage cyber risks already exists. There is no reason for these risks to be treated as a black art. We must as a priority, share knowledge and know-how with the people leading our businesses so that they can put measures in place which will absolutely minimise the impacts of a breach when it happens.
Effective Cyber Resilience can only be achieved when we normalise these risks for our boards and take individual responsibility for our collective security.
Digital Leaders South East would like to thank Garry and all the participants for their valued input at the Brighton salon.