Maksim Kabakou - Fotolia

Security Think Tank: Look to frameworks, guidance and legislation to boost resilience

What key things should organisations be doing in terms of cyber defences to ensure they are robust/resilient?

Organisations have never been hack-proof. They are unlikely ever to be hack-proof, despite what the technology industry may say or want us to believe.

It is a sad fact that businesses are sometimes hacked using some pretty old exploits, some of which are at least 12 months old. Patches probably exist for them, yet businesses still get attacked using these exploits. It is not always the case, of course, but let’s not kid ourselves that all attacks are through zero day exploits and that no one is responsible except the criminals.

Take recent outbreaks of ransomware, for example. Patches were issued by the manufacturer to deal with the vulnerability that was being exploited, but the second wave of attacks, exploiting the same vulnerability, EternalBlue, showed that many organisations had simply not bothered to apply the patch.

Any organisation interested in genuine resilience, not just its own, but also that of its connected business ecosystem, would surely have taken this seriously enough to have made sure the patch was applied and the vulnerability addressed. If I were to be judgemental, I would say it suggests a kind of apathy or inertia that flies in the face of any assertion of a desire for genuine resilience. But I am not being judgemental, so I will instead say that we, as security professionals, have a big job on our hands.

How do we go about genuine resilience? Let’s start by acknowledging that we have genuine disconnect between our security experts and our boardrooms, which means the invaluable strategic skill sat in our boardrooms is not being brought to bear on organisational security resilience. Unfortunately, this means that security and business rarely speak the same language.

How do we get around that? Let’s start with standards. The language of some of the most helpful standards that can be used to mitigate the kind of risk we are talking about is consistent and inclusive. By using standards and a risk-based approach, we can start to generate the kind of organisation-wide view that is needed to build resilience, because that is what standards are designed to do.

ISO27001: The de facto information security standard that is a comprehensive framework for not only the use and protection of your information assets, but which also helps you to exploit them in a totally business-centric and resilient way. ISO27001 offers a framework for effective information security that goes way beyond basic hygiene and into the realms of genuine resilience with built-in planning.

A certification to this standard may offer reassurance to potential supply chain partners, but remember: those genuinely using this framework as a business enhancer welcome being audited as a further reassurance that they are not using it as a tick-box exercise to gain trust or credibility.

Read another Security Think Tank article about cyber resilience

Using this standard will cover everything, including physical access to data assets, policy on ransomware, backups and recovery, using BYOD [bring your own device] and third-party agreements. This comprehensive tool that is used as an embedded part of everyday business can have a transformational effect on behaviour, culture and therefore resilience.

ISO22301: If we are talking resilience, then we need to add business continuity into the mix, because without a tested plan and an enabled team, a business may have spent vast quantities of resource on security, but if staff cannot access their systems, building or tools, it is wasted. ISO22301 is a business continuity standard that helps you look to your entire organisation and how it would manage an interruption, including cyber attack, loss of transport or IT services (ransomware is both a cyber attack and a potential loss of IT).

If the worst happened, there needs to be a tested plan and informed team in place to ensure the impact on the business is kept to an absolute minimum.

GDPR/DP: While data protection and the UK Data Protection Act (DPA) have been around for a long time, some businesses still see it as an opt-in behaviour. Changes announced by the UK government in August 2017 make it clear that poor practice will result in fines and damage to reputation. Repeated surveys tell us that consumers and businesses alike will vote with their feet, budget and wallets when it comes to doing business with organisations that they see as insecure because of a breach.

But rarely do people sing the praises of quality data protection practice in terms of how beneficial it can be to organisational data handling. Making use of the guidance offered for how to manage data properly means an organisation has to look at all sorts of areas, such as storage. A data retention policy that is properly used could end up saving a huge amount of storage space and cost.

Frameworks, guidance and legislation are all tools to help us be the best we can when it comes to cyber resilience, not just for our own sake, but for the sake of the businesses connected to us via the supply chain or ecosystem.

Read more on Hackers and cybercrime prevention