The reality for most organisations is that, despite their best cyber defences, they are going to experience a cyber-attack at some point. A resilient cyber security programme is all about the ability to not only deter and resist attacks – but also to detect and recover from them, returning to normal operation with minimal downtime.
Government has urged all sectors of the UK business community to improve their resilience to cyber-attacks and has introduced several initiatives to support this – such as the Cyber Essentials Scheme (CES). Of necessity, these initiatives are supportive in nature – it is still down to individual organisations to put into place the necessary strategy and technology to improve their resilience to cyber-attack.
Of course, cyber security requirements will vary greatly from one organisation to another. That’s why to do this effectively will require the organisation to appreciate a number of factors and address them specifically.
Here are seven steps to address in designing a programme that meets your organisational needs.
Step 1: Your threat profile
The threat facing each organisation may differ widely, depending upon the degree of exposure or dependence upon Internet services (such as cloud or web presence). For example, an organisation whose core business is based on e-commerce is going to have a completely different threat profile to one whose Internet usage is limited to email and web browsing.
What threats apply to your business model and the sector you operate in?
Step 2: Your existing information security provision
The maturity and scope of your existing information security provision is also a key factor. You may be surprised to discover that an organisation with an effective Information Security Management System (ISMS) certified against ISO 27001:2013 does not necessarily have an effective level of cyber resilience.
The Cybersecurity Capability Maturity Model C2M2 can be used to perform a gap analysis to understand the shortfall in your existing provision. It defines ten domains for analysis and four maturity indicator levels.
Step 3: Your regulatory requirements
The regulatory requirements for organisations vary widely and may be dependent on the business sector (financial services, nuclear power, telecommunications) or the nature of information being processed (data protection, government supply chain).
What regulatory requirements apply to the sector you operate in?
Step 4: Your customer expectations
Customer expectations are increasingly a major factor, with the growing awareness of cyber security risks within supply chains. The arrival of structures such as the Cyber Essentials Scheme (CES) or the MOD Defence Cyber Protection Partnership (DCPP), although primarily created for the public sector, have a widespread effect throughout the supply chain. It is likely that similar requirements will be put into place by large private-sector procurers in the future.
Step 5: Your level of risk
The likelihood of a risk happening is related to threat – where there is a significant threat, the likelihood of an event is potentially higher. For example, social engineering (such as a phishing email) represents a high threat because, without training, it is likely that average users would be coerced by such an attack. Phishing emails happen daily or weekly, so the likelihood is high.
It is, therefore, a good idea to consider the current risk (reduced by existing controls such as ISO 27001/2) and to determine the appetite for accepting the risk, which is the desired risk level. The US National Institute for Standards and Technology NIST framework can be used directly to perform a risk assessment by understanding the likelihood and impact of an absence of each of the categories identified by the framework. This will generate about 30 high-level risks and several sub-categories.
Step 6: Your people and training
You’ve heard the line that “people are the weakest link in cyber security”. It is a common mistake to focus exclusively on technical controls to support cyber resilience. It ignores the high level of dependency on people “doing the right thing” and we know that they often don’t. This means that user education and awareness training is a key control that should be put in place as early as possible.
User awareness training has two dimensions: That provided to all staff and the specific training requirements for staff with direct responsibility for cyber security (such as systems administrators, help desk staff and procurement officers). Some form of training needs analysis (TNA) is recommended to understand who needs training, for what purpose and how often.
Step 7: Your policies and governance
To support awareness, there is a need for policies to define what is needed or permitted by the organisation. Policies support governance, which in part can be considered as the measurement of compliance. To permit this, policies should be designed so that compliance can readily be measured. The same approach applies to technical or procedural controls – these should be designed so that effectiveness and compliance can be measured.
There is no “one size fits all” cyber security strategy; the requirements (and starting point) for each organisation may differ radically even between those organisations that operate in the same industry.
The development of a resilient cyber security programme must be tailored to meet the needs of an organisation, ideally, this should be based on a realistic assessment of risks and risk appetites.
Further guidance on developing a Cyber Security Programme
This blog is based on a paper by Ascentor which explains an approach to the development of a cyber security strategy, using widely-available information that can be tailored to suit each organisation.
The paper explores off-the-shelf toolkits available to support the entire lifecycle of a cyber security programme and identifies three such toolkits that should address virtually every aspect of delivering cyber resilience.
Download the paper from Ascentor’s resources page.
For further information
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James, MD at Ascentor.