Last November’s cyber attack on Sony Pictures made clear we need to be able to repel the threat from nation states as well as criminals.
But how can organisations defend themselves effectively from cyber attack by a nation state, which will have extensive power and resources at its command, or even by a highly organised criminal group with deep pockets and high levels of know-how?
If an organisation’s headquarters or a branch office were under physical attack by armed assailants, then they would be able to call the police, who would dispatch SWAT teams in response and whatever else was required to deal with the assault and prevent further damage to the organisation’s property. But when an organisation is under cyber siege, there is no such protection.
In today’s threat landscape, organisations must defend their information assets themselves. Here are four steps they should take immediately:
Develop a stark sense of reality about what they can do well in cybersecurity and what they can’t.
CIOs, CISOs and security leaders must revisit the organisational structure and skills of their security teams and IT staff with any responsibility for securing information assets. This analysis involves a deep review of what the organisation’s core competencies currently are or can be, and where outside help might be needed.
Read more on this topic
Foster deeper collaboration within their sector and across industries.
We all know that the bad guys share information freely and across borders and do not have to play by the rule of law. That makes it critical for the good guys to create more opportunities at all levels to collaborate both electronically and in person to share intelligence about current attack techniques and emerging threats.
Take a back-to-basics approach by focusing on protecting what matters most to the organisation with solid security controls.
More organisations should implement effective governance and controls frameworks, such as the US NIST Cybersecurity Framework and ISACA’s COBIT framework. When an organisation fully commits to implement a model framework, it has a much higher likelihood of success in protecting its crown jewels – and with the added benefit of not having to reinvent the wheel.
Creating good contingency plans and incident response plans is not enough – those plans also need to be practised.
It is critical to involve a wide variety of players across the organisation, and not just IT and security. Communications, legal and senior management all must be involved, and so must the necessary outside service providers who augment an organisation’s key cyber skills. For incident response plans to be effective, the internal and external ecosystem must be well understood, and all parties must be ready to act. Given what we all observed in 2014, practice may not make perfect, but it sure will help a lot.
It is likewise critical that security practitioners understand the relationship between their organisation, its people and IT assets, and the kinds of adversaries and threat actors they are facing. It is only through this analysis that the right cybersecurity programme can be designed and implemented where budget, skills, intensity and performance are all balanced at the appropriate levels.
Eddie Schwartz is chair of ISACA’s Cybersecurity Task Force and president of WhiteOps