Year after year, cyber security is reported by analysts as the number one fear of all IT managers, from global CIOs to those running a small network of two or three people. Cyber security threats are at an all-time high, because the stakes are at an all-time high.
Historically, the typical cyber security threat might be from a smart but misguided teenager, writing code to create nuisance on the Internet and impress their peers.
In the last decade, the threat has grown exponentially. Now the big threats are from organised criminals, who are either looking to harvest information, or looking to use your systems as tools for their illegal activity – be this crime or terrorism.
Increasingly, these malicious actors will come in (maybe on a weekend) take over your systems, use them to commit crime, and then depart. When you come into work on a Monday everything looks fine and you might not even know it has happened.
Many smaller organisations think “we’re too small to be noticed, nobody would want to bother with us”. Don’t kid yourself; the bad guys (the malicious actors) use automated systems, and those systems are scanning the Internet looking for vulnerabilities. If your cover isn’t strong, they can be in and out without ever being detected.
These things are true:
The trick is to develop a layered, structured response to your security challenges. Start by working to understand where you are right now, and then develop a plan that covers three key areas:
As the FBI has observed, there are two types of business out there; those that have been the victims of a cyber attack, and those that don’t know they have yet. GCHQ has also said that when it comes to cyber security attacks, the question now is not "if", but "when".
Whilst it is almost impossible to render any system as completely secure, that doesn’t mean we shouldn’t put strong prevention systems in place to deter all but the most sophisticated attackers.
In a typical organization, prevention tools include:
Many businesses based their security around firewalls and anti-virus solutions, and consider themselves covered. Often, these organisations looked at areas such as access control and intrusion detection some years ago, and were put off by (relatively) high prices when those technologies first became mainstream. If that’s you, time to look again. The cost of these solutions is much lower, and the evolving threat means that these elements are essential even in a modest enterprise.
Detection systems are looking for unusual activity or traffic patterns, or looking for attempts to break in. They will spot attacks and will raise an alarm accordingly. Often, they will also quarantine or disable the attempted attack, depending on its nature.
It's important that any such systems are set up correctly; the system shouldn't flood the operations team with lots of accurate but irrelevant information. This approach makes the important incidents difficult to see.
It's important that detection systems pick up outbound connections to Command and Control (C&C) networks that malware and botnets like to use.
Detection systems should also be focused internally. Many security breaches are internal. Allow access to systems on a needs basis, and make sure that internal attempts to crack security are spotted.
If there is a breach, how fast can we fix it? How can we make sure that the impact on our operations is minimised? This is where business continuity and disaster recovery come in.
Business continuity is about what kind of resilience is built into your systems to allow you to continue to operate in the immediate aftermath of a great disaster. There is no “one size fits all” answer here, but the questions are not technical ones, they are really about business operations.
Disaster recovery is about how fast you can recover to a position where the impact of the incident has been eradicated. In cyber terms, this is about having great, appropriate, and well tested backup solutions. Increasingly this is about off-site, cloud-based, backup services.
The two key metrics here are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Recovery Time Objective defines how quickly you want your systems to be fully operational.
Recovery Point Objective defines how old you want the data to be that is recovered, i.e. how much can you afford to lose? Can you afford to lose a day’s data? Is it three days? Or is it an hour? These considerations will define what backup and recovery systems and policies are needed.
This should be coupled with regular reviews of policy and strategy for security, and a “what did we learn” review whenever there is an incident.
Out of this approach – assessing your readiness for prevention, detection, and recovery - comes a security plan that is right for your organisation and your budget. We will then help you implement this using the right tools and components, and then we will help you monitor your defences to make sure that they are working.
We are also able to provide security testing and audit, including internal and external penetration testing.