PC PORTAL

Experienced. Trusted. Solutions.

Business Continuity

By

Ireland’s cybersecurity watchdog publishes new guidance for businesses

Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a welcome addition to the roster of material available to help organisations to develop or refine their security strategy. The team at BH Consulting has picked out key points from the guide, and added some more context and analysis.

The report’s non-technical language show that it’s clearly intended for a wide audience. In a move that’s doubtless designed to help spread the message widely, the document presents its 12 steps in three formats: as an infographic (see below), on a single page of text, and then as longer descriptions for each step.

Preparing for ‘when’, not ‘if’

Reading through the guide, it’s striking how it starts from the premise that attacks are already going on. As the introduction makes clear:

“Cyberattacks make headlines on a daily basis. It’s no longer a question of if your company will be breached, or even when, it’s likely to have happened already. The real question is whether you will know and are you prepared?”

This language echoes the Central Bank of Ireland’s 2016 guidance which warned about this risk in similarly stark terms. “Firms should assume that they will be subject to a successful cyber-attack or business interruption”, the bank said.

A resilient approach to security

The NCSC’s high-level document aims to make businesses more resilient to security incidents. That’s an approach we can all get behind. In several blogs from last year, we looked at this very issue through a business and risk lens. In one post, Brian Honan suggested a four-step process to improving resilience:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Looking back, it’s interesting how many of the themes overlap with the NCSC guidance. As we noted at the time, this is about thinking of security as a business problem, not a technological one.

Obviously, businesses still need to put effort into preventing certain types of attacks and security incidents. But it’s arguably even more important to put measures in place to keep the business running no matter what. Resilience takes many forms: after attackers defaced the website for the Luas, the tram service kept running but it took nearly a month for the site to reopen.

The Irish National Cyber Security Centre’s 12-step activity plan.

Rather than advising a ‘big bang’ culture change to embrace security, the guide suggests using the steps as an activity plan to undertake over a 12-month period. The report spends a lot of time at a high level before getting into specific actions to take, or naming particular tools to use. In fact, the first five steps don’t look in-depth at technology. Instead, they’re about orienting a business to think about security in a systematic way.

Steps 1-4

The guide is free to download from here. Step one covers governance and organisation: that means getting senior management support for a cybersecurity plan. Next comes the step of identifying the assets that matter most. (This is a broad list, covering everything from business goals, products, and services through to people, processes technology and data infrastructure underpinning them.) The steps then follow through to identifying threats and defining risk appetite.

Steps 5-6

Interestingly, the document advises focusing on education and awareness before it covers basic technical protections. These include secure configuration, patch management, firewalls, anti-malware, removable media controls, remote access controls, and encryption.

(For organisations that prefer to skip directly to this step, the guide offers a ‘minimum baseline’ of essentials protection that includes boundary firewalls, secure configuration, patch management, malware protection, encryption and access controls.)

Steps 7-11

Step seven involves setting up the ability to monitor for suspicious activity. In another nod to the broad mix of businesses this advice applies to, the guide notes that security monitoring can range from a basic alerting system through to a more sophisticated security operations centre.

The subsequent steps cover putting in place post-incident measures. They include having a formal cyber incident management team, establishing recovery plans, and implementing extra protections to supplement the basic controls. Step 11 advises running a mocked-up exercise to test how the management would react to a security breach.

Step 12 and context

The lifecycle finishes on creating an ongoing cyber risk management lifecycle. This twelfth and final action needs to be part of ‘business as usual’, the NCSC advises. The guide strikes a fair balance between useful advice and appealing to the broadest possible audience. The ‘practical considerations’ page, which isn’t part of the 12 steps, lays out the message in simple terms. A company’s level of security will vary depending on lots of factors like the potential threats that affect it the most, the level of risk it’s prepared to accept, and the amount of budgetary and people resources it can afford to allocate.

Valerie Lyons, chief operations officer with BH Consulting, says the guide provides a really good grouping of the various areas in which to approach cyber resilience. However, she feels some areas need clarification. For example, using months as a measure could be misleading. “Identifying what matters most can take a day in a small accounting office, and take a year in a large hospital. If we take May for instance, ‘focus on education and awareness’, this should in fact be a throughout-the-year activity engrained throughout every step. However, the steps by virtue of their month-by-month presentation allow a plan to be developed,” Valerie says.

Beyond the guide: extra steps

It’s arguable that the step of creating a cyber risk management lifecycle, which the guide puts in December, should in fact be in January. “We should determine up front what the regulatory landscape looks like and the resources required to achieve it,” Valerie says.

The guide would also benefit from clear definitions of cyber resilience, and what cyber risk means to the organisation. Instead of only focusing on the threat of external attacks, businesses should weigh up the risk from their own users’ accidental or deliberate actions.

As well as the practical steps in the guide, Valerie says organisations can also run tests, red teaming exercises, and table-top scenarios to test their security. Lastly, she recommends that businesses should manage cyber risk like all other risks, and it should be led by the chief risk officer, or risk unit.

The Irish NCSC report is a welcome addition to a growing crop of business-focused security advice from trusted, independent sources. There’s a wealth of free material for businesses of all sizes that are only starting to get the security message. ENISA, the European Union agency for network and information security, regularly publishes advice which you can find here. Similarly, The UK National Cyber Security Centre also publishes excellent, easy-to-read advice. Think of it as a form of public immunisation. The more organisations are vaccinated against the most common security risks, the safer we’ll all be.

The post Ireland’s cybersecurity watchdog publishes new guidance for businesses appeared first on BH Consulting.

By

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

By

UK NCSC chief highlights resilience as key to better security

Here’s a question for security professionals to ponder: why are we only ever a few clicks away from disaster? It’s inspired by a recent presentation in Dublin by Ciaran Martin, CEO of the UK National Cyber Security Centre. On a visit to Dublin earlier this month, the UK’s cybersecurity chief stressed the importance of building resilience into critical systems, and into security planning more generally.

Martin pointed out that the internet is fundamentally not designed to be secure. So, asking someone who isn’t a security expert to follow complicated advice, about using passwords for instance, is an unfair burden. “We rely on millions of citizens to do impossible things to ensure cybersecurity,” he argued.

“You have to assume that people are going to click on things; worry instead about what happens when the compromise happens,” he said. Part of this effort involves fixing things the user has very little control over, Martin said. “Whilst education and training are important, what we want to do – and this is open to debate – is to make sure the interventions are as far up the food chain as possible.”

In other words, those in charge of the Government’s social welfare payments system need to make sure it’s near-impossible for a criminal to defraud it for millions with a simple phishing email. Nor should it be possible for a single rogue individual to steal sensitive information without raising an alarm.

Damage control

Another part of a resilience strategy involves thinking about how much damage an attacker could do if they got into a system. That leads to building systems that don’t have an ‘off’ button. “Make it hard for an attacker to do systemic damage,” Martin said.

It also involves developing safe backup plans for when some part of the system isn’t available. Martin made an analogy with an air traffic control tower whose technical systems go offline. “The emphasis is not on recovering the system but [to prioritise] landing the planes in the old fashioned way,” Martin said.

The UK is already putting this approach into practice. The NCSC is working with the Bank of England while it phases out its legacy interbank payments clearance system. Part of the upgrade programme includes building in resilience, so a basic attack can’t bring down the entire system.

It’s encouraging to hear such a senior cybersecurity figure talk about the issue in these terms. Regular readers of this blog may remember Brian Honan talking about the need for resilience when developing cyber security strategies.

The post UK NCSC chief highlights resilience as key to better security appeared first on BH Consulting.

By

EU Cyber Security Month roundup – advice on staying secure

During October, BH Consulting has been sharing daily advice about digital security and privacy on its social media channels as part of EU Cyber Security Month. This blog gathers together all of these tips into a single place. As each week goes by, we will keep adding to the content, in descending order. By the end of October, it will be a single resource for security advice you can share with colleagues or friends and family.

EU Cyber Security Month – tips from week four

For week four of our campaign, we looked at ways to improve online security and privacy in our personal lives. With recent social media breaches still fresh in the memory – or at least they ought to be – it’s worth reviewing privacy settings on these sites. We shared a link to Europol’s page with excellent tips for adjusting the settings on some of the most popular social channels like Snapchat, Instagram, Twitter and Facebook.

Staying with social media, our following tip covered the risk of sharing misinformation. Sometimes we do it with good intentions, but it’s always worth checking the truth with a reliable source. As Brian blogged earlier this year, the internet is a breeding ground for urban myths and untruths. “Every time we unthinkingly share false news, we’re helping them to grow and spread.”

Our Wednesday warning covered the phenomenon of scam calls, which are still very prevalent. Apart from the nuisance value, they could be criminals tricking you into divulging bank details, or stealing your money. For this tip, we shared a link to the Office for Internet Safety, which has a range of guides on ensuring a safer online environment.

Our Thursday tip urged people to watch for suspicious web addresses and scam offers. Visiting fake websites could infect your tablet, mobile or laptop with malware – or steal your data. The consumer magazine Which has some excellent advice on how to spot fraudulent websites.

Continuing the theme from our previous message, our Friday post warned of face shopping websites. That’s a year-round risk but it’s especially true in the runup to the holiday season. As our blog from last year shows, if you plan to part with your money online, make sure you only visit safe, verified websites.

EU Cyber Security Month – tips from week three

Week three of EU Cyber Security Month began with a reminder about the importance of reading. Well researched, highly regarded reports like Europol’s IOCTA (internet organised crime threat assessment) and the Verizon Data Breach Investigations Report are valuable sources of intel.

Improving security culture is often a matter of taking some simple steps to improve readiness. The UK’s National Cyber Security Centre looks at 10 of these areas with a series of free guides. The advice includes making security a board-level responsibility, through to implementing secure configuration and managing user privileges to stop threats.

With threats and risks changing all the time – while your organisation also adapts and grows – it’s essential to stay on top of current best practice. Our Thursday tip reminded that it’s always worth refreshing your knowledge of network and information security. We linked to a quick-fire quiz from the organisers of EU Cyber Security Awareness Month. Taking the quiz might identify areas where you can up your game.

Our fourth tip of the week was aimed at organisations with mature security controls. For those with confidence in their defences but wanting to improve, a red team exercise can identify possible weak points. Here’s our blog about the benefits of red teaming.

Now that we accept that security incidents can lead to business downtime, what can we do about it? We start by making the organisation resilient. This happens through agreed processes and careful preparation so that if the worst happens, the business can keep operating. BH Consulting CEO Brian Honan has spoken about this very topic, and that was our link for the final tip of the week.

EU Cyber Security Month – tips from week two

We kicked off week two of EU Cyber Security Month with a reminder that information security covers more than just data. Having a clean desk policy at work can protect important information in physical documents, as well as computers. Here’s a good sample policy developed by SANS Institute.

Our second tip of week two covers a key starting point for any good security plan. Knowing what data you hold helps in making choices about what level of protection it will need. (This is also an important part of privacy and data protection strategy, too.) We recently blogged about classifying data in this way, referring to IBM’s recent decision to ban USB storage keys.

Day three was a reminder that data breaches and security incidents are crimes. By reporting these cases to police, victims not only help with the investigation of their own incident, they also contribute valuable information to help law enforcement tackle cybercrime.

Next, we explained how digital forensics capability can help in tracing internal security incidents. Companies with the security resources in place can set up their own digital forensics lab without needing a large investment. Having an in-house lab allows security teams to carry out inquiries into everything from a security breach to HR issues.

Rounding out our advice for the week, we focused on the importance of risk assessment. This is where security and business goals meet. The key to developing solid risk assessment is to have a repeatable approach that guides your decisions. For this tip, we linked to David Prendergast’s excellent blog with advice on developing just such a risk assessment framework.

EU Cyber Security Month – tips from week one

Our first tip raised awareness of the need to prevent CEO fraud and fake invoice scams in your business. This is easy to do and doesn’t need technical fix; it’s just a matter of changing your business processes. Anyone with access to payment systems should check with a colleague before paying money to unfamiliar accounts. Here’s a link to a recent blog we posted about this.

Tip number two covers ransomware, which is one of the most widespread security threats today. Regularly backing up your data can help you recover from a ransomware infection. You’ll find more details here.

For our third tip of the week, we looked at phishing: one of the most effective tactics in an attacker’s arsenal. One of the best investments you can make is in security awareness: train company staff to spot fake emails.

We use so many different online services and invariably, they all ask us for a password. It’s vital to use different pass phrases a password manager when logging in to these services as securely as possible. Here are our tips on what to do – and not to do – when choosing a password.

For our last tip of week one, we covered data breaches. Unfortunately, they’re all too common and there seems to be a new incident on an almost weekly basis. Planning and preparation in advance of a possible breach means you’ll be ready to react if the worst happens. In today’s climate, you’ll be judged not on having suffered a breach but how well you respond to it. Here’s our advice for putting that plan in place.

Be sure to check back as we update the page throughout October. You can also catch the daily tips as they land by following BH Consulting on Twitter or on LinkedIn.

 

The post EU Cyber Security Month roundup – advice on staying secure appeared first on BH Consulting.

By

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.