Cyber security — looking at the bigger picture but getting the basics right

An interesting (and somewhat alarming) statistic made news headlines at the beginning of the year — UK businesses experienced an average of 230,000 cyber-attacks each in 2016. This is according to research by an ISP and certainly puts the severity of the topic into perspective. Of course we are all already aware of the threat that cyber criminals pose to business, whether that is something experienced first-hand, or highlighted by the high level breaches and attacks that have taken place over the last 18 months.   

The number of cyber-attacks is increasing almost exponentially, as is the scale of these attacks. From the largest DDoS attack to date that took down managed DNS provider Dynamic Network Services (Dyn), to the announcement by Yahoo last year that 1 billion user accounts were compromised in a large-scale breach that in fact took place in 2013 — the intent of cyber criminals is clear. 

Fines, lost revenue and broken customer trust 

It’s not just about the attacks themselves, but also about the impact. In the case of the Dyn attack, customer sites including Twitter, Netflix, CNN, PayPal and Airbnb were affected, so much so that the company reportedly lost 8% (14,500) of the domains it was hosting. Other organisations have been hit with steep fines alongside the loss of customers, revenue and reputation.   

TalkTalk, for example, was fined £400,000 last year for losing 157,000 customer records as the result of an attack in 2015. This is only exacerbated in heavily regulated industries such as financial services. But the issue of fines will also become more daunting as we move towards adopting the EU’s General Data Protection Regulation (GDPR) which is coming into effect in May 2018. Not only will companies who are the victims of breaches have to pay fines, they will have to pay fines up to €20m or 4% of their global annual turnover, whichever is the greater. This applies to businesses large and small, and in all industries. 

Government investment   

While the idea of cyber security isn’t a new one, organisations are paying more attention to risk mitigation strategies and have been increasing budgets accordingly. The cyber threat isn’t slowing down and businesses are now of the opinion that an external attack of some kind is almost inevitable. Government shares the view — so much so that it launched the Cyber Essentials Scheme in 2014 and has since dedicated significant resource (£1.9 billion) to developing a National Cyber Security Strategy. 

The aim of the strategy is to “make Britain confident, capable and resilient in a fast-moving digital world” and includes the establishment of the National Cyber Security Centre (NCSC) in London, which happened recently. 

However, despite the fact that the government in the UK recognises the importance of cyber security and is investing in helping businesses, the fact remains that these organisations simply cannot just rely on these measures. Instead, both IT leaders and the C-level need to take a targeted, multi-layered approach to cyber security. 

Whose responsibility is it, anyway? 

While in days gone by cyber security was very much seen by businesses as the responsibility of IT — think about patches, device hardening and anti-virus software — nowadays it is rightly being accepted as the responsibility of the entire organisation, driven from the top down. And this isn’t just to do with allocating additional budget; rather, it has to do with looking at cyber security from a more proactive point of view, which not only includes employee awareness, but educating users in data ownership and their responsibilities in respect to that data. 

Historically, human error has been the cause of the majority of cyber events, be it clicking on a link, providing information to someone impersonating a trusted third party or using unapproved software. As a result, user awareness should play a critical role in any cyber security plans an organisation puts in place. This needs to be underpinned with a full understanding of the data held by a company and what it means if the availability, integrity and confidentiality of the data is compromised. 

Beyond that, a cyber security strategy is likely to differ from organisation to organisation, depending on the nature of the business and the types of data assets it holds (customer records, payment card information or health data). For many organisations, particularly small and medium sized businesses, the most challenging aspect is where to start.   

Get the basics right 

Regardless of what plans and policies are already in place, organisations can always benefit from using an industry recognised framework when assessing their state of cyber readiness. Going back to the government-based Cyber Essentials Scheme, this is an excellent way of understanding what measures are in place and what remediation is needed to close any gaps. Cyber Essentials is a fundamental set of controls that, when implemented correctly, addresses about 80% of common cyber threats. It covers security fundamentals such as boundary firewalls and internet gateways, configuration of systems, access control, malware protection and patch management. 

Once a business has been assessed against this framework, ensuring the right boxes are checked and controls are in place, they are then Cyber Essentials certified. Not only have they covered their bases in terms of protection, but it demonstrates to suppliers, partners, customers and even insurers that the cyber threat is being taken seriously and that there are processes and procedures in place to mitigate common cyber risks. 

The assessment also paves the way for businesses to address the remaining 20% of threats that are specific to their operation. For many, the additional value of using these frameworks is in working with service providers that assist with the assessment and offer remediation services afterwards. Even drawing on the expertise of other IT or cloud service providers can help in strengthening and refining approaches.   

Conclusion 

While businesses have to take responsibility for their own cyber security strategies, assessing their risk profile and implementing mitigating controls where applicable need not be a solitary task. Protecting against cyber criminals does require a multi-layer approach and part of those various layers means working with service providers and cyber security experts in making it all a reality.   

Hazel Freeman, managing principal consultant, professional services, Pulsant 

Image Credit: Den Rise / Shutterstock