Cyber security leaders need to create flexible systems able to monitor threats and respond to change in targeted ways.
It’s necessary to:
- Regularly pen test for vulnerabilities
- Monitor inside and outside threats
- Ensure access to specialist skills
- Create cultural buy-in and robust training protocols
- Manage expectations and priorities
- Have a plan for recovery
There has been a 400% increase in cyber-attacks since the start of COVID-19. But that’s only the latest shift in an already dangerous landscape. The World Economic Forum’s Global Risk Report 2019 projected that cyber-attacks and data fraud would have a net economic impact of $90 trillion by 2030.
“Solving the current challenge is just the start; creating a system that is able to spot risks on the horizon and adapt is the linchpin of successful cyber-defence policy”
Cybercrime is always changing. At Six Degrees, we believe in building “expectation of change” into planning. Using automated tools to gather context on threat indicators for faster threat investigation can improve your response times and reduce risk. Threat management is about creating an adaptive system able to continuously update and respond. Here, we’re going to look at six ways to get that done.
1. Understand your risk appetite and risk profile
- How sensitive is the data we store?
- What types of compliance regulations apply, and what are the consequences for non-compliance?
- How are customers likely to respond to a breach?
- How competitive is our market?
The flip side of your risk appetite is your risk profile — how exposed you are to risks and changes within the threat landscape. A complete risk profile includes your risk posture, and an analysis of your overall operational exposure to risk. But a more basic understanding simply looks at how known factors will impact your priorities and the risks that are most likely to be a problem.
How this helps:
Not every business can accommodate the same level of risk, and not every business will be exposed to the same kinds of risks. For example, businesses with customer-facing applications have an additional point of exposure when compared to those that do not. A bank or a healthcare provider has far less capacity to accommodate risk than a game developer.
Understanding these details and limitations within your own organisation is critical for prioritising action in the face of changing threats. It will help you target limited resources at the areas that matter most. It will also help minimise cost while keeping secure outcomes.
2. Use flexible frameworks
- NIST Cybersecurity Framework: This set of voluntary best practices recommended by NIST (National Institute of Standards and Technology) divides cyber security into five categories which should be continuously assessed and improved:
Keeping this process in mind will help you create a series of regularly reviewed actions to stay abreast of changes and execute effective solutions.
- NCSC 10 Steps: NCSC (National Cyber Security Centre) provides a 10 step cybersecurity guideline that can further help you plan and accommodate for change. Again, this revolves around continuous improvement and linking granular execution to three main outcomes:
- Maintaining the board’s engagement
- Establishing effective governance structures
- Producing supporting risk management policies
No matter what acronym you select, this all comes back to regularly updating systems and making security and user authentication standard expectations. Creating flexibility is about considering your own specifics and never getting complacent.
How this helps:
Adopting an agile approach to cyber security makes change part of your status quo. Rather than being upended by developments within the threat landscape, you can rapidly develop a solution. Different proposed frameworks simply help put your specific continuous strategy on rails.
Far more important than any specific set of guidelines is looking at your specifics. You need to remain vigilant within a system that regularly questions its own best practices and can bring onboard new information. Always look for evolving risks and then regularly review how these risks can be accommodated within your system. This cycle sits at the heart of your ability to manage an evolving threat landscape.
3. Response Planning
37% of UK companies have reported a data breach to the ICO in just the last twelve months. Accepting the reality that a breach might occur and building a set of protocols to respond is central to managing an ever-changing threat landscape. Cyber security isn’t about guaranteed safety — it’s about risk mitigation. Having a response plan is part of that strategy. There are three components to this:
- Disaster recovery and business continuity: You don’t want to lose data, even if you lose control over that data. An effective DR (disaster recovery) and BC (business continuity) plan should already be part of your overall IT strategy. But don’t underestimate their value to cyber-preparedness. As just one example, cyber-attacks might be up 400% in 2020, but ransomware attacks are up 800%. A siloed DR backup could help you sidestep that vulnerability, even after penetration.
- Threat response: You need the technical and human resources available to act if something goes wrong. Threat response should deploy advanced monitoring tools to identify an attack, incident response capabilities to shut down the attack in real-time, and forensic support to step in and backtrace the problem — closing the door that left you vulnerable in the first place.
- PR and communications: The public reaction to a cyber-attack can be just as damaging as the attack itself. Having a plan for how to communicate to your customers after an incident can make all the difference when it comes to mitigating business harm.
How this helps:
Preparing for the worst-case scenario will help you manage that threat when it occurs. You will minimise the harm caused and create a more secure outcome. It will also help prevent a breach in the first place. In preparation, you will identify vulnerabilities, quantify the consequences of failure, and improve your ability to communicate the importance of effective cyber security planning.
4. Ensure access to resources
In order to execute your strategy and respond to risks you’re going to need skills, people, funding and support. We are going to talk in more detail about cultural support and training in the next point. Here, we want to focus on your own team, and the two critical components that you need to manage.
1. People and skills:
65% of organisations report a shortage of skilled cyber security staff. Without the right professionals, you won’t be able to:
- Build robust systems: You need access to the technical expertise required to build and maintain a robust cyber security architecture.
- Train other staff: Making sure that everyone in your organisation understands cyber hygiene and how to access the system safely is critical.
- Respond to an incident: You need talent on call to respond to threats (either active or passive), resolve the risk and update your systems.
There are two halves to securing the right skills for the job. First, create an ongoing recruitment programme and bring in talent when needed. Second, establish one or more relationships with managed service providers.
The right strategic relationships can deliver you access to on-demand skills when necessary. This could mean outsourcing large parts of your cyber security operations. However, simply maintaining an ongoing relationship with a managed service provider will make it far easier to scale up access to cyber security professionals on a project (-or incident)-specific basis.
2. Funding and support
People and technology cost money. If cyber security is not taken seriously by leadership, it will be an uphill battle to secure the funding necessary to build the team you need to manage evolving threats. You need to secure that support, and we believe the best way to do that is through demonstrating the value of cyber to business outcomes.
Cyber security is often viewed as a cost centre — it’s an expensive requirement. Cyber security leadership is about changing that cost narrative into one focused on opportunities. You need to communicate to the board and C-suite that effective investment in proactive cyber defence will enable your business to pursue growth and achieve a competitive advantage.
If you want to learn more about effective cyber security communication strategies, check out our free resource — Board Presentation Toolkit: Cybersecurity and Threat Management.
How this helps:
Access to resources provides you with options. You can invest in the right technology and have the skills necessary to build effective systems, training regimes and processes. It also becomes easier to build the cultural support necessary to adapt. Which brings us to…
5. Build informed cultural support
Technology cannot keep you safe on its own. According to the ICO, 90% of data breaches in 2019 were caused by human error. Central to managing even a static cybersecurity environment is:
- Robust training: Making sure that people know how to safely access networks and share data.
- Buy-in: Widespread support for cyber security best practices, and a willingness to actually follow known protocols.
- Process simplicity: Appropriate protection without unnecessary impact on productivity. What’s more, systems designed to be easy to use make both training and buy-in easier to achieve.
You need a framework in place that can deliver the resources needed by everyone in your organisation to comply with cyber security best practices. That means clear and easy-to-follow policies, known resources for getting updates, and clear channels of communication to disseminating change.
You also need to make sure that employees understand why cyber security is important — creating cultural support. That starts at the top, and goes back to the previous point about securing the necessary resources to succeed.
How this helps:
In order to allow your agile process to actually roll out new change, you need support for adoption. Simply isolating your cyber security planning to a single department won’t deliver the kind of outcomes that your organisation requires.
6. Stay up-to-date
Part of your threat management strategy should simply be staying up to date. Don’t forget about your own personal development, and make sure to read industry news in order to get updates on new best practices and threat intelligence. There are conferences and events, but there are also a lot of great resources online. In addition to subscribing to this very blog, there are a number of additional resources you should investigate:
- Cyber Threat Intelligence Reports — Regular updates from the Six Degrees team on evolving threats.
- Cyber Security Threats and Vulnerabilities — An overview of the most recent cyber-attacks and advice on how to respond.
- Cyber Clinic Webinar: Threat Updates & Tactical Cyber Security Advice — Our most recent ongoing series on cyber security.
In all instances, creating an informed foundation on which to make decisions will help you stay ahead of the curve and adapt to change. Critical to managing the evolving threat landscape is flexibility. The more information you have, the better decisions you will be able to make within that adaptive framework.
If you want personalised advice on your current and evolving situation, don’t hesitate to get in touch. We offer consultation on how to evolve your cyber security posture in-line with the evolving threat landscape, and can help you make the right decisions on how to best navigate the future of cybersecurity and threat prevention. Good luck and get planning!
Subscribe to the newsletter today
With cloud adoption on the rise, more organisations than ever
Charities face cyber threats that have the potential to undo
At Six Degrees we believe that SD-WAN is the future