The Internet of Things is transforming lives, but how can organisations keep themselves and their customers safe from cyber crime? Our message to businesses today is that anticipating cyber attacks is the only way to be ahead of cyber criminals.
In our 2014 Global Information Security Survey (GISS), we discovered that organisations are making progress on building the foundations of cyber security – and this progress is important – however, most respondents reported having only a ‘moderate’ level of maturity in their foundations. There is still a lot to do.
The survey also tells us that more organisations are looking beyond these foundations. They are adapting their cyber security to changes in their business strategy and operations and to changes in the external business environment. But they also need to change their way of thinking to stop being reactive to future threats, and reach a state of readiness, confident in their assessment of risks and threats and prepared for what is coming. In other words: anticipate and get ahead of cyber crime.
These three different stages to cyber security maturity – ‘activate’, ‘adapt’ and ‘anticipate’ – need to be executed in a tight sequence. By undertaking this journey, organisations will transform themselves from being an easy target into something more formidable.
Organisations need to have a solid foundation of cyber security – a comprehensive set of cyber security measures which will provide basic (but not good) defence against cyber attacks — i.e., they ‘activate’ their cyber security. Organisations that have activated the foundations for cyber security but not moved beyond this will typically display shortfalls in their capabilities in that their cyber security is ‘bolt-on’ and not integrated into the business; they are only looking at cyber threats in their current environment and based on prior experience, and that overall their approach generally to risk tends to be around compliance and metric-driven reporting, not responding to the volatile, changing world around them.
So organisations that have not yet reached the foundational level of cyber security, and suffer from these shortfalls, need to act fast. Typically they should urgently conduct a security assessment to identify gaps and look at where they are falling short against leading practices (such as ISO 27001). They need to get board-level support for a transformation of their cyber security capabilities and move it out of being ‘just an IT problem’. They should review and update their security policies, procedures and reporting standards; developing monitoring of known cases and incident response procedures could be addressed by establishing a Security Operations Centre. They should design and implement cyber security controls by looking at data loss prevention and identity and access management. Hardening the security of servers, firewalls, network components and databases is a basic essential, and then overall the business needs to test its business continuity plans and response processes.
But as the worlds of business and cyber threats do not stand still, organisations will change and threats will also change. Therefore, the foundations of cyber security measures must adapt and keep up-to-date, otherwise they will become less and less effective. So the ‘adapt’ stage must add further features to move beyond the ‘activate’ level. Cyber security needs to be built-in so that it is involved in everything the organisation does – for example, a new business process, opening a new plant, an acquisition or a new product. Then there is the focus on the external business environment so that cyber security continuously adapts to ongoing changes – for example, going digital or using cloud services. The need is to be dynamic, flexible and under constant revision. Effective ways to do this would be to design and implement a transformation program and decide what to keep in-house and what to outsource – a fully in-house SOC, an external managed security services provider (MSSP), or a move to a blended model. A RACI matrix should then be defined and cyber security awareness training for employees instigated. Finally, define the organisation’s ecosystem by considering the knock-on impact of security breaches on your third parties, and work to eliminate potential security gaps there.
Ultimately however, organisations need to develop tactics to detect and detract potential cyber attacks. They must know exactly what they need to protect (their ‘crown jewels’), and rehearse responses to likely attack and incident scenarios (including accidents). This requires a mature cyber threat intelligence capability, a robust risk assessment methodology, an experienced incident response mechanism, and an informed organisation. At this stage, organisations are more confident about their ability to handle more predictable threats and unexpected attacks; i.e., they ‘anticipate’ cyber attacks.
Cyber security needs to be ‘built-beyond’ so that the organisation can be alert, ready to act and respond quickly in a balanced manner. It also recognises its crown jewels and is able to prioritise these assets and understand the impact of them being breached or compromised, linking them into the threat assessment process. The organisation knows its environment inside out, using cyber threat intelligence to gain this knowledge — incorporating both external and internal sources of risk, and covering both present and future, while learning from the past. A learning culture is embedded, data is studied (including forensics) and new collaborative relationships with other organisations are explored. Organisations that are in a state of anticipation regularly rehearse their incident response capabilities, including war gaming and table top exercises, enacting complex incident scenarios.
To get your organisation ready to move into the ‘anticipate’ level, start by designing and implementing a cyber threat intelligence strategy and work with the board to help them understand how to use threat intelligence to support strategic business decisions. Define and encompass the organisation’s extended cyber security ecosystem to define RACI and trust models and enact cooperative, sharing capabilities. Take a cyber economic approach – understand the value of your organisation’s most vital cyber assets to the cyber criminals, then re-evaluate plans to invest in security. And ensure everyone understands what’s happening around the organisation – update employees and keep them acting as the eyes and ears of the organisation.
Ultimately, proactive, intelligent cyber security needs to become the norm for every organisation. There is no real alternative. We want the focus to be on enhancing the organisation because businesses have mastered the foundations, adapted and become better able to anticipate. We would like businesses to take the initiative and make cyber crime far less profitable – in other words, take away the power of the hacker and get ahead of cyber crime.
Paul van Kessel is Global Risk Leader and Ken Allan is Global Cybersecurity Leader at EY. Mr van Kessel can be contacted on +31 884 071 271 or by email: firstname.lastname@example.org. Mr Allan can be contacted on +44 (0)20 795 15769 or by email: email@example.com.
© Financier Worldwide
Paul van Kessel and Ken Allan