Do you know what actions you can take in relation to Cyber Risk in your business? This guide will help you to understand cyber security and risk, so you can assess this within your own business or organisation. You’ll find the quick summary at the start to save you time and cut to the key points you need to know. The rest of this blog will give you the detail so you understand the importance, as well as help you gain the knowledge you need.
- With any risk you have 3 decisions to make;
- Acceptance, the cost of doing nothing.
- Mitigation, the cost of doing something.
- Transfer, cyber insurance.
- Preparation and prevention, are your best allies in this battle.
- Cyber and information security is not complex, not expensive
- There are many types of attacks and threats, not all of them are external.
- You cannot ignore cyber risk, you must at minimum assess it to make an informed decision on your next actions.
Risk – Acceptance – The cost of doing nothing?
With any risk you have 3 decisions to make, acceptance, mitigate or transfer.
If you choose to accept risk, without assessment, what is the cost of doing nothing if the worse happens?
- Loss of ability to operate; average downtime after an attack or hack is reported as around 21 hours. If this is a result of ransomware this is more likely to be days not hours.
- Loss of reputation; something that can be lost in seconds with the click of a button, and can be potentially unrecoverable. 85% of data breaches involved a human element.
- Financial Penalties; the ICO has issued fines just short of £40 million in the last 8 months for failure to protect customer information. This can also lead to private claims by the customers or employees’ whose data was not protected.
- Failure to win new business; more and more organisations are required to hold accreditations and certifications and without these can be excluded entirely for tendering and bidding.
If you didn’t prepare for an attack, how do you respond? What do you do first?
Indication that an issue could be occurring;
- computers running slowly
- users being locked out of their accounts
- users being unable to access documents
- messages demanding a ransom for the release of your files
- people informing you of strange emails coming out of your domain
- redirected internet searches
- requests for unauthorised payments
- unusual account activity Find out
Identification: What is actually happening. Information gathering needs to happen as soon an issue is suspected. This needs to be collated and/or shared with your IT Team.
10 crucial questions:
- What problem has been reported, and by who?
- What services, programs and/or hardware aren’t working?
- Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted on the internet?
- What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
- Have your customers noticed any problems? Can they use your services?
- Who designed the affected system, and who maintains it?
- When did the problem occur or first come to your attention?
- What is the scope of the problem, what areas of the organisation are affected?
- Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
- What is the potential business impact of the incident?
Stop the incident getting any worse
Take a look at your security software such as antivirus alerts and server/ audit logs, can you identify attack specifics and the potential cause?
If you know the device that has been affected, take this offline and run your antivirus programme to complete a full scan, and take notes of the results it gives you.
Use the information you have gathered to look for advice online from trusted sources such as police or security websites.
In the case of internet outage, contact your ISP in the first instance; most will have pages that relate to service availability.
Use the information you have gathered to look for advice online from trusted sources such as police or security websites. Take extra care that any advice is from a verified and trusted source only!
Externally Managed IT; share information you have identified and work with them to resolve the issue where possible. Check your support contract to understand what they are responsible to action and in what time frame.
- Internally Managed IT; working to resolve the issue can include;
- Replacing infected hardware
- Restoring service though backups.
- patching software
- cleaning infected machines
- changing passwords
If you lack the internal expertise for complex incidents consider using the services of a Cyber Security Practitioner, make sure they are from a reputable organisation and hold appropriate credentials.
Risk – Mitigation – The cost for doing something?
With any risk you have 3 decisions to make, acceptance, mitigate or transfer. Mitigation covers how you reduce your risk to prevent attack.
The secret to surviving an attack is to prepare for it. This is not a complex as you might think it is! This can be separated in to 2 areas; firstly preparation, and secondly prevention.
Business Continuity Planning (BCP) is about having a plan to deal with difficult situations, so your organisation can continue to function with as little disruption as possible. This plan needs to account for people, locations and processes based on criticality.
Disaster recovery (DR) is a plan designed to recover the IT and infrastructure after a disaster. A DR plan comprises recognising crucial IT systems and networks, categorizing the RTO, and reporting the activities required to resume, reconstruct, and recover IT systems and networks. DR is part of the overall BCP.
Business Continuity – People and Locations
Input required is to understand the critical employees, critical time periods and your dependency on your offices.
Employees in your organisation that you would classify as critical every day or at certain times in the month?
- Critical time period / Task
What critical processes and tasks do you have within the month?
Does your business have reliance on being able to physically access their current office?
Business Continuity – IT Systems
Recovery Point Objective (RPO) is the tolerable amount of data the organisation is prepared to lose.
Recovery Time Objective (RTO) is the amount of time needed to recover the critical systems and applications.
The industry standard for assessing IT systems and applications is known globally as the CIA Triad. This is made up of 3 key concepts; Confidentiality, Integrity & Availability.
- Confidentiality (Access Control):
Confidentiality means ensuring that information is accessible only to those authorised to have access
- Integrity (Accuracy):
Integrity means safeguarding the accuracy and completeness of the information.
- Availability (Accessible):
Availability means ensuring that authorised users have access to information and associated systems when required.
Using a scoring matrix based on 3 points, (High, Medium, Low) each application is assessed separately and then ranked against each other.
Cyber Essentials Certification gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.
Cyber Essentials Plus gives the added reassurance of an independent assessment.
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
The IASME Cyber Assurance was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO 27001.
The IASME Cyber Assurance standard allows the small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers’ information.
The IASME Cyber Assurance Level 2 gives the added reassurance of an independent assessment.
- Risk Assessment
- Incident Management
- Data Protection
- Operation Management
Together, these certifications;
- Protection from the most common cyber threats
- Assurances you have adopted the 12 key information & cyber security controls
- Reduces your risk of cyber-crime
- Demonstrates to the external world you take information & cyber security controls seriously
Risk – Transference – Cyber Insurance
When managing risk there are only 3 options; mitigate, accept or transfer. With the changes to the UK Data Protection Act in 2018, the ability to transfer of risk is now limited to insurance.
Due to significant increase in Cyber-attacks, up around 148% in the last 12 months, insurers are becoming more stringent in underwriting the risk.
Just like any insurance, the cost and coverage are dependent on the controls and security measures you have in place. If you are not able to meet these expectations you may find yourself not being able to obtain insurance or renewal of a previous policy.
Marsh, the world’s leading insurance broker and risk management has recently reported that cost of insurance has also increased; anywhere between 25% and 400%.
Insurers and brokers are now looking for a lot more information during their due diligence, ahead of any policy being made available.
Before I get in to more detail, let me clarify what Cyber Insurance is there to protect;
Cyber Event – this is a malicious action or an accidental event on an organisations digital systems, data or technology.
- Non-physical; compromise of the confidentiality, integrity and/or the availability of digital systems, data and or technology.
- Physical; property damage and/or bodily harm and injury.
Finally, the consequence of an event is reviewed. This can include;
- Loss of income
- Extortion/ransom demands
- Fines and penalties
- Shareholder litigation
- 1st party costs (insurance)
- 3rd party liability (if the organisation is sued)
The due diligence process includes a review of 12 key information security controls, while they have been established for several years and considered best practices many organisations have not adopted them.
- Multifactor Authentication
- End Point Detection & Response (EDR)
- Privileged Access Management (PAM)
- Email filtering & web security
- Patch & Vulnerability Management
- Cyber Incident response planning & testing
- Cyber security awareness training and phishing testing
- Hardening Techniques including remote desktop protocol (RDP)
- Logging and monitoring
- End of life systems replaced or protected
- Vendor/digital supply chain risk management
Whether you need insurance or not, ensuring your organisation has the 12 controls in place it the best way to improve your information security posture and resilience.
Cyber Essentials Plus and IASME Cyber Assured certifications address these controls and more through self-assessment.
We hope you have found this guide useful, it is part of a series which can be found on our website at www.net-defence.com.
Our team can be reached on 03300 0241666 or firstname.lastname@example.org should you have questions or want to better understand what your business needs.