Five steps to cyber resilience
– a cyber resilience plan for every SME and mid-market sized organization
Cyber advice is easy to come by for every business, but it’s harder to decipher what aspects of that advice are relevant for you as an SME or mid-market sized company.
That’s why we have developed this five-part special series to offer much more than a list of arbitrary tips that might or might not be relevant.
Over the next five blog posts, we will look at the bigger picture for your organisation and detail key actions rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework.
By working through these key areas, we believe that by drawing on both our own experience in helping businesses build their own cyber resilience and the expertise of some of the leading cyber security practitioners, we can help you work towards achieving cyber resilience for your business.
The five areas of focus for Five Steps to cyber resilience for SME’s and mid-markets are:
- Identify – Understand your environment and overall cyber risk
- Protect– Implement appropriate safeguards to contain a cyber security event
- Detect– Maintain visibility into your network so you can detect intrusions
- Respond – Assume a breach will happen and have a plan in place
- Recover – Business interruption is the greatest risk; access experts to recover quickly
Step 3: Detect | Maintain visibility into your network so you can detect intrusions
In our blog series ‘Five steps to cyber resilience’ we’re reviewing the five functions within the NIST Cyber Security Framework (CSF). We have already covered the first two functions: Identify and Protect. For this post, the third in the series, we’ll offer some tips and advice around the discovery of a cyber security event through the ‘Detect’ function.
Ensuring that a Detect function is properly established within your organisation is crucial towards building and maintaining cyber resilience as the sooner you can detect a cybersecurity event, the quicker you can mitigate its impact. It’s a mistake for SMEs to believe that cyber-attacks are easily or immediately detected. During 2019, the average time for the identification of a breach was 206 days with the average lifecycle of a breach being 314 days (from the breach to containment)1.
According to the Chartered Institute of Information Security (CIISec), the biggest cyber-attack of 2020 has “already happened”, it’s just not yet been detected2. Consequently, SME’s need to put detection mechanisms in place to prepare for the expected – a cyber-attack- it is not a matter of ‘when’ it will occur but ‘if it will occur’.
NIST defines the Detect function as the function to “develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” The goal is to discover cybersecurity events in a timely fashion so that attackers do not have adequate time to infect areas of the business and steal increasing levels of data. Speeding up detection by a thorough identification of risks and implementation of protective security allows an SME to significantly improve protection of crucial data assets.
In establishing a robust Detect function, it’s essential to address the following questions and know that processes are in place to maintain adequate detection capabilities:
- Who’s responsible for detecting suspicious activity and events?
- How should these detections be reported and what should you do about them?
- How can you test and constantly improve your detection systems?
It’s helpful to review these three outcome categories described within the NIST Detect function and verify if you already have necessary processes in place or need to review them with your IT department.
Ensuring anomalies and events are detected, and their potential impact is understood
In order to detect anomalies, there needs to be a baseline as to what is normal in terms of activity across your network and IT infrastructure. That baseline can only be established if the IT department has put in place the necessary monitoring, collection, and analysis of data across multiple points and then established incident alert thresholds. In simple terms it’s about setting up control points, monitoring and knowing to take action when anything appears to be outside of normal activity. Those triggers can be the first indicators of a cyber-attack and save invaluable time in terms of reaction and containment.
Implementing continuous security monitoring capabilities
This outcome calls for full end-to-end monitoring of IT networks and infrastructure in order to identify potential security issues and determine if actions taken as part of the Protect function created the necessary safeguards. Your IT department should ensure the continuous monitoring of all aspects of the IT network, physical environments, user access and third party allowed activity. It’s strongly advised to have in place automated and persistent vulnerability tests performed on protected systems.
Whilst comprehensive penetration testing may be prohibitively expensive for an SME, cost effective automated vulnerability scanning tools are readily available to SMEs. It’s worth noting that hundreds of security vulnerabilities are reported in network-connected systems, devices, and software each week, yet 85% of organisations globally have not fully deployed automation in their cybersecurity processes).3 You can find out more about automated vulnerability scanning tools here.
Maintaining detection processes to provide awareness of anomalous events
This outcome requires that detection procedures and processes are put in place and regularly tested to ensure timely and full awareness of potential cyber-attacks. Aside from your own need to know about a breach as soon as possible, it is also important to recognize that, where a breach involves personally identifiable information (PII), there is a mandatory reporting requirement to notify your relevant supervisory authority, without undue delay and, where feasible, not later than 72 hours after having become aware of the attack.
In any event, processes need to be documented, regularly tested, and continually improved. They should define clear ownership as to roles and responsibilities, and describe how to detect unauthorized access to data as soon as possible. Detection processes require proactive security management such as comprehensive security patching. Patches are software provider recommended changes applied to correct the weakness described by a vulnerability ensuring all critical systems and applications are up to date. It’s also recommended that your IT team regularly reviews all user-based privileges and access controls to help reduce risk exposure and also routinely remove and disable any unnecessary or no longer required components and tools.
In our next post in this series we’ll cover the Respond function helping you to understand:
- Why response planning is all about knowing what to do after the detection
- How to understand the indicators that an attack already happened
- Necessary steps to contain an incident, combat the threat and recover from it
- The importance of applying lessons learned in your post-event activity
 https://www.ibm.com/security/data-breach / citing 2019 Cost of a Data Breach
 https://www.ibm.com/security/data-breach/ citing 2019 Cost of a Data Breach
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.