Malicious cyber incidents continue to grab headlines. Cyber-attacks are nothing new, and whilst threat actors will continue to develop their tactics and techniques for delivery and intrusion, the reality is that most organisations are now well versed in detecting, responding to, and recovering from attacks against their business via the cyber space. Or are they?
Why are incidents still having such significant impacts – why are organisations, many of whom in possession of multi-million pound or dollar cyber security strategies and an abundance of resources, still scrambling to protect themselves from cyber-attacks when we’ve had years to refine our craft? At this point you are encouraged to consider just how well your organisation is placed to swiftly and effectively respond to and recover from a cyber incident. Do you have confidence in your plans and processes?
Is your business ‘good enough’? Are you outstanding, true leaders amongst your peer group or sector? For a CEO or Board of Directors, they might not want to hear that your approach to cyber incident management is ‘good enough,’ they may expect that you be one of those industry-leading and shining examples of best practice, up there amongst the very best. This expectation is a natural but perhaps misguided one; to achieve a perceived ‘gold standard’ costs money, a lot of money, and needs an extensive number of resources to build and maintain it – but is that what YOUR business needs? Would that approach be considered overkill and a potential waste of money? The key here is context and proportionality – a ‘good enough’ strategy that is built around the scale and context of your business operations, and one that is proportionate to the cyber threats and risks you face. These must be the drivers of your approach to cyber incident response.
Achieving 100% cyber security
Like the Unicorn, 100% cyber security does not and will never exist – sorry for the misleading headline. Absolutely, we are getting better at defending ourselves, and technology solutions entering the market are supporting organisational defensive cyber efforts – but hackers are still getting through and will continue to do so. Like the ‘good guys,’ they are developing new and innovative ways of exploiting vulnerabilities in technologies and in people. The latter in particular is an operating system that is known to have vulnerabilities; we aren’t machines and we do make mistakes. You are likely to have heard that the human is the weakest link in cyber security, but what human likes to be told they’re a weak link? I certainly don’t. I don’t believe that the human is the weakest link, actually humans are simply being just that – human. We get tired, we do not follow rules or policies, we sometimes lack focus or training, and we most certainly do have our interest piqued by the offer of free ‘stuff.’
Assume breach
Going hand-in-hand with the commentary above is a philosophy referred to as ‘assume breach.’ This approach is, I believe, an excellent one as it places a focus on your response and recovery actions and supports you in placing equal importance on your reactive controls and processes as well as those that form part of your preventative strategy. Clearly preventative controls are incredibly important and will work to defend your business against many common cyber threat types, but should we place all our effort and prayers on trying to prevent the incident from occurring in the first place? That’s a difficult question to answer however, by assuming that your systems and networks will, at some point, be breached (a truly motivated and technically capable threat actor WILL get into your operating environment) you can take steps to limiting impacts and ensuring business continuity is maintained – the much trodden ‘not if, but when’ line most certainly applies.
Building cyber incident response around your people
Technology very rarely fails on its own. It usually fails because we’re (the human, again) not using it properly, whether that be due to malicious (e.g., deliberately circumventing operating procedures) or non-malicious (e.g., misconfiguration) reasons. The same can be said for cyber incident response. The technology has a critical role to play, but it is the human who is central to the efficacy and responsiveness of your plans and processes. It is the human who will be making decisions, enacting those critical response actions, and communicating with affected parties, and so your plans must be built around the human, your people. Plans need to be clear, concise, and repeatable and in our next release we will go into further detail regarding the strategy itself; what do you need to know and, importantly, what can you do to establish a ‘good enough’ cyber incident response plan.
