GRC International: The cyber resilience model
For too long, organisations have sought the holy grail of 100% Cyber Security. But security is never absolute; it is essential to understand that a breach is inevitable. It is the way in which organisations respond to a cyber security breach that is critical. Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance explains the fundamental importance of creating a Cyber Resilient model.
Cyber Security Myth
Cyber security is defined as the state of protecting information from attack by identifying risks and establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable.
Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93% of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required.
Breaches occur routinely – and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy.
What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact – a model that is predicated on achieving cyber resilience, not cybersecurity.
To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards-based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.
At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.
This is, of course, an evolution. For smaller or start up business, a simple first step is to adopt Cyber Essentials, five basic controls which should prevent around 80% of Internet borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted web site be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details? Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.
Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement.
Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi-layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.