Based on our experience, there are four key areas that need to be addressed:
1. Understand the cyber security risk in relation to your organization and critical operations
An organization needs to clearly identify its key business assets, such as the IP that underpins core products and services or its financial or trading systems. These may not just be inside the organization, but may also include suppliers or partners. The relative risks to these key assets then need to be analyses (scanning social media is one way organization can be more proactive in understanding potential threats).
This approach enables organizations to gain a broader understanding of how to tackle not just the IT challenges, but also people risk, the physical environment and information handling issues as a whole.
2. Integrate across personnel, technical, physical and information security – and make smart interventions to boost overall cyber security
In the context of cyber security, the adage that you are only as strong as your weakest link is particularly pertinent; it is important to consider your cyber security strategy as a whole, rather than in individual silos. In practice, many organization have not taken even the basic steps to defend against cyber attack: for example, they do not have appropriate HR policies and practices, effective employee identity management, physical security and/or access control. Even basic IT management arrangements (such as anti-virus and patching) may not be fully in place.
Getting the basics right, identifying where additional interventions can resolve vulnerabilities and ensuring that defensive measures are properly integrated will protect against all but the most persistent forms of attack.
3. Establish protective monitoring to prevent and deter the 'insider' threat
Protective monitoring allows organization to identify suspicious activity by employees (or 'insiders') and supports a positive culture to deter counter-productive behavior. For example, employees who return to the office late at night to access systems unrelated to their role should be identified and managed. This requires the ability to correlate between systems, such as physical access control to buildings and the usage audit trail from systems to intelligently identify unusual activity.
4. Recognize that it is virtually impossible to resist all cyber attacks – plan for resilience
Achieving 100 per cent security is both expensive and impractical. Instead, organization need to ensure that they can rapidly identify when an attack is occurring. Often the only indication is through customer experience and therefore the organization needs to have intelligence on this in order to know when something is wrong.
Once an attack has occurred, it is important to have the skills and resources to quickly isolate problems, determine the level of investigation and response required, and maintain business as usual. The pursuit of attackers requires good system administration, forensic capture during an attack and a legal response prepared in advance.