PC PORTAL

Experienced. Trusted. Solutions.

Risk Management

By

Here’s the missing ingredient in a solid security and business continuity plan

Security incidents can cast an unforgiving light on many organisations’ readiness. They highlight the need for security programmes that go further than just fixing things when they break.

Response has been security’s classic default reaction to an incident. Something is broken, so we need to fix it. But this misses a critical ingredient: resilience. If an important system fails, organisations need to know they can continue by using alternative systems, be they technical or manual.

Resilience, not just recovery

“Security incidents invariably lead to downtime. So it makes sense to focus on resilience in security programmes, not just detection and recovery. This way, a business can continue to survive and function even if key services are disrupted or temporarily unavailable,” says Brian Honan, CEO of BH Consulting.

Last year’s ransomware outbreaks were a classic case in point. FedEx’s TNT subsidiary shipped a $300 million loss following the NotPetya infection. It took weeks to restore IT operations fully, and deliveries and sales declined during this time. The NHS in the UK cancelled 22,000 hospital appointments as it struggled to cope in the wake of WannaCry.

Steps to resilience

Brian recommends that organisations should become more resilient by integrating incident response and business continuity. He suggests the following four steps:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Once you start talking the language of risk, you’re talking the language of business, not IT. That’s why Brian recommends getting agreement from business owners as to how the organisation manages the risks that it discovers. Suppose the assessment stage uncovers a vulnerable system. The organisation has three choices: replace the system outright, upgrade the current version, or accept the risk that the business will be unavailable for whatever time it takes to recover from downtime.

Decision time for the business

Each option comes at a price, but it’s up to the business to determine the cost it’s willing to bear. “The security professional’s role is to give the business well informed data and analysis so that they can make the appropriate decision for the business. The CSO is chief security officer, not the chief scapegoat officer,” says Brian.

There’s still vigorous debate over the meaning of resilience in the context of information security. Kelly Shortridge of Security Scorecard recently wrote a lengthy and thoughtful post that’s well worth reading. Drawing on a range of examples from far beyond security, she says security has too often focused on robustness. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. Quoting the ecological economics scholar Peter Timmerman, she adds: “resilience is the building of ‘buffering capacity’ into a system, to improve its ability to continually cope going forward.”

Another word for resilience is flexibility. That’s arguably an incomplete definition too, but the term hints at an ability to bounce back from an interruption to something approaching normal service.

The post Here’s the missing ingredient in a solid security and business continuity plan appeared first on BH Consulting.

By

Ransomware reminders force focus on prevention and planning

Ransomware reared its ugly head again recently, with some stark reminders that it’s still a serious business risk. A household name suffered what seemed a major infection, while it emerged that many victims never get their data back.

Last week, Boeing narrowly avoided a tailspin after a senior engineer alerted colleagues of a WannaCry infection. It appeared to threaten vital aircraft production systems, though after an investigation, Boeing described it as a “limited intrusion”.

Financial impact of ransomware

Boeing’s experience shows that companies face a financial impact beyond paying a ransom if criminals encrypt their data. Ransomware infections can also cause huge disruption as IT teams scramble to lock down the source and prevent further spread. At the time of writing, the city of Atlanta, Georgia was still restoring systems 10 days after an attack of the SamSam ransomware. The incident reportedly affected at least five municipal departments, disabling some city services and forcing others to revert to paper records.

According to SANS, in the past six months at least three other US companies suffered work stoppages due to WannaCry infections. Last year, more than 80 organisations in the UK National Health Service shut down their computers. All told, WannaCry led to 20,000 cancelled appointments, 600 GP surgeries using pen and paper, and five hospitals diverting ambulances.

Criminals don’t give money-back guarantees

Facing similar scenarios, many organisations might choose to pay up rather than risk prolonged disruption, lost revenue or angry customers. But recent surveys might cause them to pause before parting with their cash. A report from CyberEdge found that 51 per cent of ransomware victims who paid the ransom never got their files back. A separate study from SentinelOne had similarly depressing news. It found that 45 per cent of US companies infected last year paid at least one ransom, but only 26 per cent of them had their files unlocked afterwards.

BH Consulting advises victims not to pay the ransom. As the surveys above tell us, payment is no guarantee of recovering files. “Criminals prove to be untrustworthy” was The Register’s snarky but accurate take on the story. Paying also encourages criminals that a business is an easy mark. TechRepublic noted that 73 per cent of organisations that paid the ransom were targeted and attacked again.

Take preventative steps

The key with ransomware is to prevent it before it spreads. Last year, BH Consulting published a guide to preventing ransomware infections just as some of the biggest outbreaks took hold. The document includes technical and business-process steps to avoid further infection. Given the latest developments, now seems like a good time to revisit those recommendations. They include:

  • Review and regularly test backup processes – still the most effective way to recover
  • Establish a baseline of normal network behaviour – unusual activity will be easier to spot
  • Segment your network – this will limit the ability of worms and other infections to spread
  • Implement ad blocking – to stop compromised adverts from delivering malware
  • Review security of mobile devices – because ransomware is migrating to mobiles

You can download the free guide here. Another useful resource is the NoMoreRansom initiative, which is a partnership between law enforcement and industry. It provides free tools to decrypt  many common types of ransomware. BH Consulting is among the partners from across the private and public sectors.

Let’s wrap up with some encouraging news. The CyberEdge report found that just 13 per cent of companies that refused to pay lost their files. In other words, 87 per cent subsequently recovered their data. It bears repeating: prevention, not payment, is a better way to keep ransomware out of your business.

The post Ransomware reminders force focus on prevention and planning appeared first on BH Consulting.

By

Here’s how to get the most from a cybersecurity assessment

Would your organisation pass a cybersecurity assessment? Not one of 200 UK NHS trusts did, after the Department of Health checked them following the WannaCry ransomware outbreak.

The NHS trusts’ complexity meant the assessments set a high bar. But for many SMEs, the assessments identify opportunities to improve, rather than obstacles to overcome. They show an organisation’s current security levels and spot potential gaps.

That’s becoming ever more important as cybercrime continues to rise. One recent survey found that the average SME website is attacked 44 times a day. We also know that many common security attacks exploit well-known vulnerabilities.

The test criteria

To find out what’s involved in a cybersecurity assessment, I asked Stephen Rouine, cyber risk specialist at BH Consulting. Here are some of the common things he looks for when he carries out an assessment:

  • Boundary firewalls and internet gateways protecting the outside
  • Does the organisation scan for malicious URLs and warn users if they visit an infected site?
  • Secure configurations on servers, laptops, or phones. Does each device have antivirus software? Do screens automatically lock themselves if the device is idle?
  • What antivirus software is the organisation using, how is it configured and is it the latest version?
  • Do all users have administrator accounts or privileges on their systems?
  • How does the organisation manage patches for keeping software or operating systems up to date? Is this manual, in-house or does it use a third-party company?

Following the questionnaire and visit, the client receives a report with findings and recommendations of any changes needed. These will address some of the basic security gaps that might emerge during the assessment. For example, they might need to disable the autorun feature that opens a USB key once it’s plugged into a Windows machine. Ideally, users should manually navigate to the USB key before opening any files, and the antivirus package should scan the key’s contents first.

The time commitment

For most SMEs, the on-site visit and questionnaire process takes around half a day. Any follow-up actions usually take a similar amount of time. So, the company can improve its security for a minimal commitment of time and resources. Stephen emphasised that it’s important for senior management to commit to the assessment and certification process.

Once it has met and passed all of the assessment criteria, the company can apply for Cyber Essentials certification. This is an independent, international standard that growing numbers of organisations are adopting.

The business benefits outweigh the time and cost involved, Stephen added. Reaching the standard will protect the business from many common attacks and compromises. It shows customers and suppliers that the business takes security seriously. “Most of our clients see it as a necessary first stage of getting more secure. In the case of one client, Cyber Essentials allows them to go to tender with UK government agencies, so it opened up their client base,” Stephen said.

It’s also worth pointing out that maintaining security is an ongoing process, not a once-yearly exercise. Threats and risks are changing all the time. Completing an assessment and applying for Cyber Essentials certification puts businesses at the security starting blocks, not the finish line. As Stephen pointed out: “It’s important to state that this check will only prevent basic attacks and security incidents, but it may not be enough to protect from sophisticated intrusions.”

For more details on BH Consulting’s cybersecurity assessment service, visit this page.

 

 

The post Here’s how to get the most from a cybersecurity assessment appeared first on BH Consulting.