Sergey Nivens - Fotolia

Cyber security need not cost a fortune, says researcher

Organisations can bolster their cyber security without incurring huge costs by tapping into free resources and following best practices, according to a security researcher

There are many low-cost and no-cost things organisations can do to improve their cyber security posture, according to Lancaster University cyber security researcher Adrian Venables.

Cost is one of the main reasons organisations put off addressing cyber security threats, he said, alongside perceptions that it is too complex to tackle or that security suppliers are simply using fear to make money. There is also the mistaken belief by organisations that they are unlikely to be hit by a cyber attack.

“Many organisations are either putting their heads in the sand or dismissing it as a non-issue,” Venables told Cybercon 2017 in Plymouth.

Venables, who is a former regular and now reservist British naval officer, said organisations should be making use of the advice and best practice guidelines that are available free of charge.

“Organisations can use these resources from academia and government to ensure they are better informed about cyber security so that they can allocate budget more wisely and effectively,” he said.

By being better informed, organisations can ensure they have the most appropriate cyber security policies in place, which can also be done free of charge, he said.

But at the same time, Venables said getting the workforce on board is “absolutely essential” and also requires a good understanding of the topic.

Sources of free information include the Open University, the UK government website, the National Cyber Security Centre (NCSC), industry associations such as the international shipping association Bimco, and research or guidelines published by security suppliers, he said.

The government also offers free online training for employees, for people responsible for information security at small to medium-sized businesses and some professionals, including HR professionals and procurement professionals.

Cyber security posture

Venables said the IT department of any organisation is a good place to start to get a basic understanding of its overall cyber security posture.

“The IT department should be able to provide details on controls, ports, services, firewall rules and device configurations – how these things are secured, how that is monitored, and how that could be changed to meet the most likely cyber threats to your organisation,” he said.

IT departments should also be able to provide details about how the network is sub-netted or segmented, said Venables, which can useful in ensuring staff can access only areas appropriate for their roles.

“And if attackers are in your network, segmenting it can slow them down and make it more difficult for them to move around,” he said.

Another important matter for organisations to consider is whether to allow employees access to webmail and unrestricted web browsing from work IT environments, he said.

“Not only is webmail a good way of getting bad stuff in, it is also a good way for attackers or malicious insiders to get stolen data out,” said Venables.

“Organisations should also consider blocking the major threat vectors used in websites, such as JavaScript, Java, Flash Player, and macros.”

The lack of cyber security talent is a challenge for most organisations, but Venables said they should take the time to find out if they have hidden talent within their workforce.

“You may have all the skills you need without knowing it, like a cyber security enthusiast or hobbyist with real skill and aptitude who may be working in a non-security or even non-IT role,” he said.

Venables advised organisations to identify these people because while they may be of great benefit, they may also be one of the biggest threats because they are able to bypass security controls.

Read more about incident response

Organisations should also look at contingency plans for when things go wrong, he said, which involves workshopping, looking at possible security incidents and what action should be taken to limit the damage and keep the business running. This should include testing the integrity of data if a compromise is detected or suspected.

“It should be clear at what point you will call for external help, and you should have already approached a company so they are ready to come in when needed to ensure business continuity,” he said. “It is also a good idea to establish a relationship with a cyber forensics company to capture evidence that can be passed on to law enforcement.”

Venables emphasised the importance of testing incident response and recovery procedures to ensure that all plans work in practice and that there is a clear decision-making structure in place.

He also advised organisations to have printed copies of contingency plans so they are accessible if IT systems go down, and to test that data backup and recovery processes are working.

Venables also underlined the importance of carrying out investigations after every incident to understand the threat, which vulnerability was exploited and how any similar attack can be prevented in future.

“Also look at how well your response and recovery procedures worked to see if any improvements are necessary,” he said.

Every organisation should remember that if it has a public-facing IP address, it is never detached from cyber space, said Venables. “You are an integral part of it and you are at risk, which needs to be considered,” he said.

Get upgrades in sync

Organisations also need to look at how updates and upgrades to IT systems are conducted and ensure that hardware and software upgrades are in sync, so that the hardware supports the latest software.

Venables said organisations should not forget about their partners, who may not have the same level of security in place.

“It is worth checking how secure and resilient they are because attackers will always look for the weakest point, and in some cases that may be your industry partners,” he said.

Next, he advised organisations to ensure they know all the devices on their network that are connecting to the internet and to check that air-gapped systems are still air-gapped and consider disabling USB ports on these systems to prevent potentially infected devices being plugged into them.

Network monitoring is also worth considering to enable organisations to know exactly what is on their network, what transactions are taking place and what connections or attempted connections are being made, said Venables.

Organisations should think about separating company data, personnel data and personal data, so that appropriate protections can be applied to each, based on the data type and the most likely attackers and attack methods, he said.  

Finally, Venables said organisations have to consider the human factor in security. This means requiring passwords to be changed regularly to ensure only authorised and current personnel have access to systems, assigning ownership of systems to individuals who are responsible for keeping them up to date and secure, and continually educating and reminding staff about cyber security.

Read more on Hackers and cybercrime prevention