Five steps to cyber resilience
– a cyber resilience plan for every SME and mid-market sized organization
Cyber advice is easy to come by for every business, but it’s harder to decipher what aspects of that advice are relevant for you as an SME or mid-market sized company.
That’s why we have developed this five-part special series to offer much more than a list of arbitrary tips that might or might not be relevant.
Over the next five blog posts, we will look at the bigger picture for your organisation and detail key actions rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework.
By working through these key areas, we believe that by drawing on both our own experience in helping businesses build their own cyber resilience and the expertise of some of the leading cyber security practitioners, we can help you work towards achieving cyber resilience for your business.
The five areas of focus for Five Steps to cyber resilience for SME’s and mid-markets are:
- Identify – Understand your environment and overall cyber risk
- Protect– Implement appropriate safeguards to contain a cyber security event
- Detect– Maintain visibility into your network so you can detect intrusions
- Respond – Assume a breach will happen and have a plan in place
- Recover – Business interruption is the greatest risk; access experts to recover quickly
Step 2: Protect | Implement appropriate safeguards to contain a cyber security event
In Part 1 of our series ‘Five steps to cyber resilience’ we looked at how it’s important to identify and understand the cyber risk your business faces. For the second part in the series, we look at protecting your business and the implementation of appropriate safeguards to contain a cyber incident.
“It won’t happen to us” – the cyber myth with potentially devastating consequences for SME’s. In a recent poll by Aon of more than 1000 SME’s, 8 out of 10 said that they do not see cyber attacks or data loss as a significant risk – consequently, many are vastly under-prepared and lack even basic safeguards to protect their business.
Many of these organizations wrongly believe that their size makes them an unlikely target for cyber criminals. When in fact, it is just the opposite. Small to medium sized businesses are being targeted now more than ever with over half having experienced a breach within the last year.
Less sophisticated infrastructure and safeguards to protect themselves make these organizations an easy target and pay-out for cyber criminals. And it doesn’t stop there; cyber criminals often see smaller companies as a way into larger organizations.
For those organizations that do understand cyber risks to their business, many feel overwhelmed and hindered by budget restraints and resources. But the reality is that adequate cyber security does not need to be overly time consuming or complex. Below are some key safeguards that you can easily implement to protect your organization and make it significantly harder for hackers to breach your defences.
Where to start in protecting your business?
SME’s should start by breaking down the cyber myth and shifting internal attitudes to an “assume breach” mindset. This simple yet effective defence strategy involves working on the assumption that a breach has either already occurred or that it’s only a matter of time until it does. The strategy involves training employees to be mindful of security and limit the trust they place in applications, services, identities, and networks, both internal and external.
Frameworks for protecting: an intro to NIST
There are various frameworks available that provide guidance on protecting the business but this blog post will focus on the National Institute of Standards and Technology (NIST) ‘Protect’ function which looks at reducing the number of cyber security incidents that could occur within your business and limiting the impact if one does occur.
Whilst by now you will know that you need to protect your data, you may not be aware of what steps need to be taken. Following the requirements of the ‘Protect’ function will help contain the impact of a cyber security event:
1) Identity management, authentication and access control
Never trust, always verify
Don’t allow cyber criminals to get into your network through the front door by making it easy for them to expose weak and compromised credentials. A major shortcoming in business is the fixed mindset of security leaders. In your IT environment, privileged accounts are everywhere. IT administrators, privileged users, external vendors, and business applications all use them to access critical information systems in your network. The higher the account’s privileges, the more valuable it is to you, and unfortunately, also to cyber attackers. Privileged account credentials remain an attacker’s preferred mode of entry into an organization’s network. A carelessly managed account gives attackers the perfect entry point into your system, letting them navigate through multiple servers undetected. Furthermore, when IT admins don’t know what employees are doing with their privileges, malicious insiders can abuse their position without anyone noticing. Ensure that access to physical and logical assets, and associated facilities is limited to authorized users, processes, and devices. It’s critical to control who logs on to your network and uses your computers and other devices.
Always be on the alert for phishing; a social engineering attack in which the cyber attacker poses as a trustworthy source with employees unknowingly clicking malicious links or providing personal information. These attacks usually delivered by email often suggest urgent action to address something that’s gone wrong and unaware employees regularly fall victim.
2) Awareness and training:
Build a human fire wall through employee awareness training
Many successful cyber-attacks, such as phishing described above, patiently wait for employees to be lured into providing access to sensitive information via a phishing email for example, where an employee is tricked into clicking on a malicious link that installs malware on an organization’s systems. Other employee vulnerabilities include the provision of unauthorized access, poor management of high privilege account access and poor password practice. Those errors can be incredibly costly; sometimes providing access to a host of sensitive data. Businesses should not wait until a breach has occurred to invest in and plan for the human component of cyber security.
Employees are and should be the first line of defence in protecting the company’s digital assets which makes cyber security awareness training for all employees, contractors and any other party who uses your computers, devices, and network – absolutely critical. This training will equip the human element of your organization with the necessary knowledge and skills to protect against many common cyber-attacks – which can easily thwart a simple phishing email or other common attack methods. There are many types of awareness training available but investment in an expert led cyber simulation (tabletop exercise) unique to your organization is wise. More information on cyber simulations can be found here.
3) Data security:
There are only two types of companies: those that have been hacked and those that will be
Once you’ve successfully put measures in place to manage identity/access credentials and have provided your employees with the necessary training, the focus should then move to managing data security. Aside from growing cyber threats, additional pressure, through GDPR compliance requirements, is being placed on SMEs to protect personally identifiable information (PII). In dealing with such threats and compliance obligations, you will need to manage data in a way that aligns with your business’s risk strategy, managing information and records (data) to protect the confidentiality, integrity, and availability of information. Here are some key tips on the very basic requirements. If not already implemented, you should give this immediate attention.
Use security software to protect data and encrypt sensitive data, at rest and in transit. Encrypting data is a good way to protect sensitive information as it ensures that the data can only be read by the person who is authorized to have access. Encryption is especially important when sending sensitive information that other people should not be able to access. Because email messages are sent over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information within emails.
- Conduct regular backups of data and update security software. Security software should be routinely updated with a patch management system, automating those updates if possible. All software and websites have vulnerabilities that cyber attackers leverage. Software providers, such as Microsoft, routinely look for vulnerabilities releasing updates and patches that fix them and which should be addressed once available to your IT department.
- Have a clear policy on password creation. This should include rules that enforce strong password usage, with a regular change in passwords every few months.
- Don’t allow external connections to your network. Avoid employees using USBs and other external devices on your office system especially to transfer data from one device to the other. This also includes using USB portals to charge mobile phones and other electronic devices.
- Create a plan for personal devices. As an SME, it may be common practice to have employees using their own devices at work. Have a plan to provide some protection against legal repercussions covering data deletion, location tracking, and internet monitoring issues.
- Have a system for data backup and recovery. You need both a local and off-site backup system. Important files should be backed up physically at your office allowing for easy retrieval. However, also having a copy of your files is essential for both redundancy (in case the local backup fails) and catastrophe prevention (such as a fire).
4) Information protection processes and procedures:
Get things documented, then test and audit
Within the NIST Framework the Protect function calls for data security protection that develops and maintains security policies, processes and procedures that sufficiently protect critical data and the systems that support it. The framework also calls for the creation and management of incident response, business continuity and disaster recovery plans, as well as testing of those response and recovery plans. In preventing cyber attackers from gaining access to critical data, there’s also a need to have formal policies for the safe disposal of data files and old devices. Your IT department should always ensure that retired and reused devices and storage media have had their contents properly removed to prevent confidential company data being retrieved further down the line.
A common mistake is in thinking that reinstalling a computer’s operating system, re-formatting the hard drive or deleting specific files and folders will ensure data is erased and unrecoverable. This is not necessarily correct, and, in many cases, sensitive data is still completely accessible with freely available tools. Again, your IT department should be using a robust data destruction policy that ensures your data is unrecoverable. Reviewing audit/log records on a regular basis is also essential to know who is accessing what and when. This fits with the access control category of setting privileges based on need, but then taking it a step further to monitor who has access to what and why they have that access.
Reduce the attack surface
So far in this post we’ve discussed that you must control access, provide awareness education and training, and put processes into place to secure data. However, there’s a further and final need within the NIST framework to deploy protective technology to ensure you’re maintaining cyber resilience. Remember, circumventing your protective solutions is bread and butter to cyber attackers who are increasingly smart, operating from countries that lack the resources to tackle cybercrime and increasingly sell their know-how to less-skilled criminals. As others in your industry, including competitors, become more cyber resilient, you don’t want to be the weak one that’s preyed upon. Just as in nature, cyber attackers usually focus on the slowest and most vulnerable in the herd.
It’s crucial that you deploy the correct technical security focused on removing single points of failure and reducing the ‘attack surface’: (the total sum of vulnerabilities that can be exploited to carry out a security attack). Put another way, the attack surface is the sum of the different points (the “attack vectors”) where an unauthorised user (the “attacker”) can try to enter data to or extract data from your IT environment. Keeping the attack surface as small as possible is a basic security measure. To successfully reduce your attack surface, your IT department should adopt the principle of least functionality or another approach they deem appropriate. In very practical terms this means configuring your IT systems to provide only essential capabilities and restricting external connections and interfaces to, from, and between specific machines. In certain cases, it can also require disabling wireless access and continuously monitoring endpoints to detect, and respond to, indicators of attack.
Adopting the above recommendations within the Protect function greatly strengthens your company’s ability to limit and contain the impact resulting from a cybersecurity event. Critically, it will also allow you to more rapidly identify the occurrence of a cybersecurity event by monitoring to detect anomalies and investigating to see if response is needed.
In our next post, we will cover the Detect function helping you to understand:
- Whose responsibility is it to detect suspicious activity and events?
- How should these detections be reported and what should you do about them?
- How can you test and constantly improve your detection systems?
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.