PC PORTAL

Experienced. Trusted. Solutions.

Business Continuity

By

UK NCSC chief highlights resilience as key to better security

Here’s a question for security professionals to ponder: why are we only ever a few clicks away from disaster? It’s inspired by a recent presentation in Dublin by Ciaran Martin, CEO of the UK National Cyber Security Centre. On a visit to Dublin earlier this month, the UK’s cybersecurity chief stressed the importance of building resilience into critical systems, and into security planning more generally.

Martin pointed out that the internet is fundamentally not designed to be secure. So, asking someone who isn’t a security expert to follow complicated advice, about using passwords for instance, is an unfair burden. “We rely on millions of citizens to do impossible things to ensure cybersecurity,” he argued.

“You have to assume that people are going to click on things; worry instead about what happens when the compromise happens,” he said. Part of this effort involves fixing things the user has very little control over, Martin said. “Whilst education and training are important, what we want to do – and this is open to debate – is to make sure the interventions are as far up the food chain as possible.”

In other words, those in charge of the Government’s social welfare payments system need to make sure it’s near-impossible for a criminal to defraud it for millions with a simple phishing email. Nor should it be possible for a single rogue individual to steal sensitive information without raising an alarm.

Damage control

Another part of a resilience strategy involves thinking about how much damage an attacker could do if they got into a system. That leads to building systems that don’t have an ‘off’ button. “Make it hard for an attacker to do systemic damage,” Martin said.

It also involves developing safe backup plans for when some part of the system isn’t available. Martin made an analogy with an air traffic control tower whose technical systems go offline. “The emphasis is not on recovering the system but [to prioritise] landing the planes in the old fashioned way,” Martin said.

The UK is already putting this approach into practice. The NCSC is working with the Bank of England while it phases out its legacy interbank payments clearance system. Part of the upgrade programme includes building in resilience, so a basic attack can’t bring down the entire system.

It’s encouraging to hear such a senior cybersecurity figure talk about the issue in these terms. Regular readers of this blog may remember Brian Honan talking about the need for resilience when developing cyber security strategies.

The post UK NCSC chief highlights resilience as key to better security appeared first on BH Consulting.

By

EU Cyber Security Month roundup – advice on staying secure

During October, BH Consulting has been sharing daily advice about digital security and privacy on its social media channels as part of EU Cyber Security Month. This blog gathers together all of these tips into a single place. As each week goes by, we will keep adding to the content, in descending order. By the end of October, it will be a single resource for security advice you can share with colleagues or friends and family.

EU Cyber Security Month – tips from week four

For week four of our campaign, we looked at ways to improve online security and privacy in our personal lives. With recent social media breaches still fresh in the memory – or at least they ought to be – it’s worth reviewing privacy settings on these sites. We shared a link to Europol’s page with excellent tips for adjusting the settings on some of the most popular social channels like Snapchat, Instagram, Twitter and Facebook.

Staying with social media, our following tip covered the risk of sharing misinformation. Sometimes we do it with good intentions, but it’s always worth checking the truth with a reliable source. As Brian blogged earlier this year, the internet is a breeding ground for urban myths and untruths. “Every time we unthinkingly share false news, we’re helping them to grow and spread.”

Our Wednesday warning covered the phenomenon of scam calls, which are still very prevalent. Apart from the nuisance value, they could be criminals tricking you into divulging bank details, or stealing your money. For this tip, we shared a link to the Office for Internet Safety, which has a range of guides on ensuring a safer online environment.

Our Thursday tip urged people to watch for suspicious web addresses and scam offers. Visiting fake websites could infect your tablet, mobile or laptop with malware – or steal your data. The consumer magazine Which has some excellent advice on how to spot fraudulent websites.

Continuing the theme from our previous message, our Friday post warned of face shopping websites. That’s a year-round risk but it’s especially true in the runup to the holiday season. As our blog from last year shows, if you plan to part with your money online, make sure you only visit safe, verified websites.

EU Cyber Security Month – tips from week three

Week three of EU Cyber Security Month began with a reminder about the importance of reading. Well researched, highly regarded reports like Europol’s IOCTA (internet organised crime threat assessment) and the Verizon Data Breach Investigations Report are valuable sources of intel.

Improving security culture is often a matter of taking some simple steps to improve readiness. The UK’s National Cyber Security Centre looks at 10 of these areas with a series of free guides. The advice includes making security a board-level responsibility, through to implementing secure configuration and managing user privileges to stop threats.

With threats and risks changing all the time – while your organisation also adapts and grows – it’s essential to stay on top of current best practice. Our Thursday tip reminded that it’s always worth refreshing your knowledge of network and information security. We linked to a quick-fire quiz from the organisers of EU Cyber Security Awareness Month. Taking the quiz might identify areas where you can up your game.

Our fourth tip of the week was aimed at organisations with mature security controls. For those with confidence in their defences but wanting to improve, a red team exercise can identify possible weak points. Here’s our blog about the benefits of red teaming.

Now that we accept that security incidents can lead to business downtime, what can we do about it? We start by making the organisation resilient. This happens through agreed processes and careful preparation so that if the worst happens, the business can keep operating. BH Consulting CEO Brian Honan has spoken about this very topic, and that was our link for the final tip of the week.

EU Cyber Security Month – tips from week two

We kicked off week two of EU Cyber Security Month with a reminder that information security covers more than just data. Having a clean desk policy at work can protect important information in physical documents, as well as computers. Here’s a good sample policy developed by SANS Institute.

Our second tip of week two covers a key starting point for any good security plan. Knowing what data you hold helps in making choices about what level of protection it will need. (This is also an important part of privacy and data protection strategy, too.) We recently blogged about classifying data in this way, referring to IBM’s recent decision to ban USB storage keys.

Day three was a reminder that data breaches and security incidents are crimes. By reporting these cases to police, victims not only help with the investigation of their own incident, they also contribute valuable information to help law enforcement tackle cybercrime.

Next, we explained how digital forensics capability can help in tracing internal security incidents. Companies with the security resources in place can set up their own digital forensics lab without needing a large investment. Having an in-house lab allows security teams to carry out inquiries into everything from a security breach to HR issues.

Rounding out our advice for the week, we focused on the importance of risk assessment. This is where security and business goals meet. The key to developing solid risk assessment is to have a repeatable approach that guides your decisions. For this tip, we linked to David Prendergast’s excellent blog with advice on developing just such a risk assessment framework.

EU Cyber Security Month – tips from week one

Our first tip raised awareness of the need to prevent CEO fraud and fake invoice scams in your business. This is easy to do and doesn’t need technical fix; it’s just a matter of changing your business processes. Anyone with access to payment systems should check with a colleague before paying money to unfamiliar accounts. Here’s a link to a recent blog we posted about this.

Tip number two covers ransomware, which is one of the most widespread security threats today. Regularly backing up your data can help you recover from a ransomware infection. You’ll find more details here.

For our third tip of the week, we looked at phishing: one of the most effective tactics in an attacker’s arsenal. One of the best investments you can make is in security awareness: train company staff to spot fake emails.

We use so many different online services and invariably, they all ask us for a password. It’s vital to use different pass phrases a password manager when logging in to these services as securely as possible. Here are our tips on what to do – and not to do – when choosing a password.

For our last tip of week one, we covered data breaches. Unfortunately, they’re all too common and there seems to be a new incident on an almost weekly basis. Planning and preparation in advance of a possible breach means you’ll be ready to react if the worst happens. In today’s climate, you’ll be judged not on having suffered a breach but how well you respond to it. Here’s our advice for putting that plan in place.

Be sure to check back as we update the page throughout October. You can also catch the daily tips as they land by following BH Consulting on Twitter or on LinkedIn.

 

The post EU Cyber Security Month roundup – advice on staying secure appeared first on BH Consulting.

By

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

By

Here’s the missing ingredient in a solid security and business continuity plan

Security incidents can cast an unforgiving light on many organisations’ readiness. They highlight the need for security programmes that go further than just fixing things when they break.

Response has been security’s classic default reaction to an incident. Something is broken, so we need to fix it. But this misses a critical ingredient: resilience. If an important system fails, organisations need to know they can continue by using alternative systems, be they technical or manual.

Resilience, not just recovery

“Security incidents invariably lead to downtime. So it makes sense to focus on resilience in security programmes, not just detection and recovery. This way, a business can continue to survive and function even if key services are disrupted or temporarily unavailable,” says Brian Honan, CEO of BH Consulting.

Last year’s ransomware outbreaks were a classic case in point. FedEx’s TNT subsidiary shipped a $300 million loss following the NotPetya infection. It took weeks to restore IT operations fully, and deliveries and sales declined during this time. The NHS in the UK cancelled 22,000 hospital appointments as it struggled to cope in the wake of WannaCry.

Steps to resilience

Brian recommends that organisations should become more resilient by integrating incident response and business continuity. He suggests the following four steps:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Once you start talking the language of risk, you’re talking the language of business, not IT. That’s why Brian recommends getting agreement from business owners as to how the organisation manages the risks that it discovers. Suppose the assessment stage uncovers a vulnerable system. The organisation has three choices: replace the system outright, upgrade the current version, or accept the risk that the business will be unavailable for whatever time it takes to recover from downtime.

Decision time for the business

Each option comes at a price, but it’s up to the business to determine the cost it’s willing to bear. “The security professional’s role is to give the business well informed data and analysis so that they can make the appropriate decision for the business. The CSO is chief security officer, not the chief scapegoat officer,” says Brian.

There’s still vigorous debate over the meaning of resilience in the context of information security. Kelly Shortridge of Security Scorecard recently wrote a lengthy and thoughtful post that’s well worth reading. Drawing on a range of examples from far beyond security, she says security has too often focused on robustness. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. Quoting the ecological economics scholar Peter Timmerman, she adds: “resilience is the building of ‘buffering capacity’ into a system, to improve its ability to continually cope going forward.”

Another word for resilience is flexibility. That’s arguably an incomplete definition too, but the term hints at an ability to bounce back from an interruption to something approaching normal service.

The post Here’s the missing ingredient in a solid security and business continuity plan appeared first on BH Consulting.