Building an effective cyber security posture
Continuous improvement is not a new way of thinking, with business origins often attributed to post-war Japan and the principles of ‘kaizen’. However, in cybersecurity there is often a tendency to try and fix challenges and risks in one go with a ‘silver bullet’ piece of technology. Certainly, if you look to most organisations within the industry, you’ll see them talking about how their software is the one bit of technology that can solve all your cyber problems and protect you no matter what.
Whilst technology is clearly important in improving an organisation’s cybersecurity, what is often overlooked is the fact that no technology in the world, now or in the future, will be able to protect an organisation from all attacks. Likewise, no technology in the world, now or in the future, will be able to fully respond to all attacks and prevent incidents from being breaches.
This is why it’s absolutely critical that all organisations look to continuous improvement, not silver bullets when it comes to their cybersecurity. This may seem daunting, but with a simple 5 step process, organisations can understand and improve their cyber maturity, prioritising the right areas to focus on to ensure they remain resilient and secure.
We call this building a ‘Cyber Maturity Plan’ and have created this blog to walk organisations through the creation, implementation and evolution of this plan, with the ultimate outcome being an organisation that is set up to continuously improve their cybersecurity posture.
Building a Cyber Maturity Plan
The Cyber Maturity Plan serves to understand the current position of the organisation’s cybersecurity and bring focus to current and future investments, with the aim of continuously improving the security capability.
Step 1: Undertake a risk & threat assessment
The first step of any Cyber Maturity Plan is to understand what you’re trying to protect against. 3 simple questions can be asked in order to model your threat landscape, answers will depend on the sector you operate in and your specific organisation:
- Who are the attackers (and what are their motivations)? Are they state-sponsored attackers, opportunistic criminal gangs, politically motivated ‘cyber terrorists’ or perhaps even insiders.
- What might attackers be interested in getting from you? Are they looking to gather customer information to ransom you against a GDPR threat? Are they looking to gain admin credentials or get to one of your customers or partners as part of your supply chain? Are they simply looking to encrypt files and backups and lock you out of operations for a ransom?
- How might they get in? At this stage it should be generic, i.e. not specific to your weak spots, but with answers such as through phishing attacks, brute force, through web downloads or insiders?
At this stage, the intention is to remain broad in your thinking, and to use this as a base set of agreed truths to then delve into deeper in later steps.
Step 2: Prioritise your assets – protect your crown jewels!
This step is all about working out what keys you can’t afford to lose and aims to prioritise investment in cybersecurity to focus on the most critical assets and routes into those assets. Examples could be a particular piece of IP, admin credentials, software access or customer data.
The starting point will be your answers to what attackers are trying to get and how they may get in, but you’ll start to be more specific to your organisation here.
There may be multiple things an attacker is trying to get, for example in healthcare industries, clinical research data is extremely valuable, and attackers will look to leverage this data for financial gain. Cybercriminals will look to use any means necessary to obtain an organisations intellectual property, from looking to hold you to ransom through to encrypting devices. Considering the citizen impact of any of these end goals will then help you to prioritise what you need to protect most and set you up for step 3.
Step 3: Identify the weak links in your business
Like many things, an organisation’s cybersecurity is only as good as the weakest link. In this step you should be looking at weak links through two lenses – both the general access into a business and specific routes to obtain your crown jewels. This may be the same or different depending on your business with one of the actions being to isolate your crown jewels, so that a general organisational breach doesn’t necessarily mean the attackers come away with what they really want.
Approach this step from 3 interlinked, but separate angles:
- People – there are 2 ways internal staff cause breaches; maliciously or through negligence. Insider negligence is the biggest cause of incidents with 63% of insider-related incidents relating to negligence, versus 23% due to malicious actions. Consider training needs as well as implementing zero-trust in your organisation to ensure users only have access to the minimum they require to do their job.
- Processes – this covers a broad focus, from cybersecurity processes such as playbooks for dealing with alerts and incidents, to internal processes such as data storage (and retention rules), password policies and more. Understand where a process is open to human and technology error or manipulation.
- Technology – covering the entire IT infrastructure of the organisation and, if possible, supply chain. Understand what tooling you have in place already, what is at risk or potentially could be, for example legacy Operating Systems nearing end of support. Consider what is and isn’t being used – you’ll likely be paying for security technology as part of your licences and wider infrastructure, note these down, even if they’re not used to date as this will help reduce cost over time.
Step 4: Review current cyber investments
Only once you understand the threat landscape and attack vectors into your organisation should you benchmark your current cyber capability. The goal here is to understand what outcomes you expect and receive from your various investments, primarily focusing on technology and people. These should be viewed in terms of value – either supporting your goals, for example, by improving user experience and/or by improving your cyber security posture.
This step can be really enlightening, especially when significant changes happen, such as COVID-19 – as a result of more people working from home (and likely to do so moving forward) older critical technology that you would have rightly spent lots of your budget on may now be less relevant. For example, network firewalls may no longer be as critical to your organisation as they once were, especially if you’ve closed down your offices.
It’s also worth understanding what technology you may have inadvertently invested in and aren’t using, for example if you use Office 365 and have an A5 licence with Microsoft, you’ll be paying for the likes of Microsoft Defender for Endpoints and Microsoft Sentinel. This stage will help you identify if there’s areas of your technology stack that you’re duplicating costs on.
Step 5: Build an action plan that converges your IT & security roadmaps
You’ll often hear this described as ‘secure by design’. Regardless of whether security and IT are the same team or a completely different department in your organisation, it’s often overlooked to combine the two into one overall roadmap. This is critical to ensure both elements of your organisation are working together and that IT tools that improve productivity don’t do so at the cost of security and vice versa.
Assume compromise, plan for response. At this stage, you should be bringing all previous elements of the plan together and building a strategy that protects your crown jewels through a combination of people, process and technology. It’s important to note that ‘protecting’ your crown jewels, doesn’t mean trying to do everything you can to stop a breach, but prioritising your budget to improve critical weaknesses in your IT infrastructure, providing training to staff and investing in the right processes pre, during and post-breach.
In addition, if it’s not already, cybersecurity should be part of your Business Continuity Plan (BCP) in the same way as pandemic responses will now be for every organisation. Key elements here are to agree internal communications, PR ramifications, engaging affected staff and customers as early as possible, planning for turning the lights back on, recovery and making sure you don’t have to pay ransoms from taxpayer money.
By the very nature of continuous improvement, this should become part of your annual planning at the very least and certainly be reviewed after every incident of note, whether a successful attack or not. Initial priorities should be on people and process over technology as technology needs people and process to make it work. Get the basics in the form of good cyber hygiene right and then review your technology. In most attacks, it’s not the case that technology doesn’t detect an attack, it’s down to the fact that nobody is there to look at the alerts or the processes aren’t in place to respond effectively that results in significant disruption to your IT services.
Take our cyber maturity quiz to find out how your organisation would fare in a cyber attack?