Why cyber security has to be more than a tick box exercise
Before we delve into modern-day cyber security strategies, let’s take a look back at the ever-changing threat landscape. Because traditional “tick box” security methods used to do the job just fine. But, as the threat landscape becomes more and more sophisticated – so must our response.
A huge amount has changed since we first saw the mass popularisation of computer technology.
The origins of ‘the computer virus’ are much disputed. It’s generally accepted that The Creeper Worm (1971) was the first “computer worm”. It was a self-replicating programme that could spread to other computers. While not actively malicious, it was annoying, flashing the message “I’M THE CREEPER; CATCH ME IF YOU CAN”
Before the days of virus scanners and cleaners, 15-year-old Rich Skrenta spread his Elk Cloner (1981) virus via a floppy disk containing a game. It infected the Apple DOS 3.3 operating system by hiding in the computer’s memory. When an uninfected disk was inserted into the computer, the entire DOS (including Elk Cloner) would be copied to the clean disk. And from there it spread. Again, this virus was just an annoying prank – showing a blank screen and a poem to the disgruntled gamer. But it is considered to be the first genuine ‘in the wild’ virus.
And then there’s the AIDs trojan (AKA PC Cyborg), the first documented ransomware which appeared in 1989. Created by a biologist, Joseph Popp, PC Cyborg handed out 20,000 infected disks to attendees of the World Health Organization’s AIDS conference. The disks were labelled “AIDS Information – Introductory Diskettes”, and included leaflets warning that the software would “adversely affect other program applications” and also stated, “you will owe compensation and possible damages to PC Cyborg Corporation and your microcomputer will stop functioning normally”.
Similarly, there are several competing claims to the first proper anti-virus software. Some people consider The Reaper (1972) the first anti-virus software ever written but others insist that it wasn’t until 1987 when the first proper anti-virus products hit the market (including the wonderfully named Ultimate Virus Killer for the Atari).
While all alarming at the time, they were much easier to resolve than the complex ransomware viruses we’re continually faced with today. Cyber hackers have become incredibly sophisticated with the process more industrialised than ever. As a result, cyber insurance premiums have gone through the roof, increasing by more than 90% in the final quarter of 2021 alone. What’s more, insurers are likely to turn business away if companies can’t show a coherent security strategy.
As malicious viruses evolve, we need to develop the best strategies to protect our users, our businesses and our intellectual property.
Balancing people, process and technology
Where a simple over the counter anti-virus programme may once have been sufficient to maintain a decent level of online safety, using this alone won’t be enough to stop bad actors, or fulfil cyber insurance requirements. Some of you will be familiar with Cyber Essentials, PCI-DSS, ISO27001 and CREST, but how do we make sure we have the processes, people and technology to backup those certificates on the website?
Ultimately it’s people who will deploy and manage whichever cyber security option you choose. Likewise, it’s people who will monitor the alerts that the software flags and it’s people who will make the crucial, time sensitive decisions when a breach does happen. Most importantly though, it’s people, not AI or software packages, who know your business, know the people in your business and know where the most significant weaknesses and threats are. Without the right people in place, the effectiveness of any technology will be inherently limited.
Software still has a role to play, for sure. For example, it can be extremely effective for detection. But crucial to establishing a strong security posture is having skilled people in place to act on the threats that software detects. It is only by achieving the right balance of ‘people, process and technology’ that a truly effective defence against the more sophisticated cyber-attacks can be established.
Start by having a proper look under the bonnet
When you’re looking at your cyber defence strategy it can be hard to know where to start. But we recommend taking a good look under your bonnet to discover any underlying issues or weaknesses.
In the same way you’d take your car to a thorough mechanic (rather than the dodgy one that you know cuts corners) that’s what you’d do with your current security posture. Once you have a full and honest picture of where the gaps, weaknesses and faults are – you can start to build out the right processes, draft in the right skills, and investigate the best technology or services to support your business needs.
It’s all about taking a more holistic view of your security posture. Rather than hedging all your bets on a piece of detection software, think about the people that action the response, and the processes that support good cyber hygiene 365 days a year (not just when audits roll around).
11 tips to build a more holistic cyber security strategy
We know taking that more holistic view can be daunting, especially if you don’t have a significant level of base knowledge. Don’t worry though, we’re here to help. That’s why, together with our friends at e2e-assure, we’ve pulled together these top 11 tips to establishing a strong and robust cyber security posture.
- Take responsibility – taking responsibility for your business’s cyber risk has to be the starting point. This means the buck stops with the CEO/Board. Help can come, either internally or externally, but someone has to own that risk. And that means ensuring the right people are in place to give you confidence that you’ve mitigated that risk as far as possible. Confusion as to who owns a company’s cyber risk, or a culture of passing the buck, are not compatible with a robust and effective cyber security strategy.
- Audit your IT assets – a huge number of organisations, of all sizes, can’t say for sure how many IT assets they have, where they are or what they should be interacting with on any given day. Knowing exactly what your network looks like is the first step on the road to establishing a robust security posture. If you don’t know what normal looks like (e.g. certain users running PowerShell or downloading big files) then it’s harder to spot real threats and you can waste a lot of time dealing with false positives.
- Review current policies through a security lens – cyber security is a company-wide issue. Don’t just assume your cyber security and IT policies will cover all security requirements, or that your IT team is the only part of the business that needs to know about it. Go back and review your non-cyber policies to ensure they cover security considerations alongside their main focus. Also think about rolling out some training for all staff to educate in some basic cyber security dos and don’ts.
- Ensure your organisation is using multi-factor authentication (MFA) – even the most basic two-step verification, like a phone number to text a code to, can massively improve your organisation’s cyber security. Google found that just having a recovery phone number “can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks”. Of course, it’s not fool-proof, but it’s certainly better than not having anything in place.
- Try the NCSC’s ‘exercise-in-a-box’ tool – this tool allows organisations to test just how resilient they are when it comes to cyber-attacks. It allows you to practice your responses in a safe environment, covering technical, people and process. Our advice? Don’t leave it until you’re actually being attacked to test how well you can respond.
- Baseline with Cyber Essentials – As we’ve already said, certifications aren’t the be all and end all when it comes to cyber. Having said that, if you just need somewhere to start then Cyber Essentials is great. It will help you prioritise the basics that every organisations should have, even if you’re starting from a completely blank slate.
- Patch, patch, patch – at the risk of repeating ourselves, basic hygiene is critical to better cyber security. Ensuring your devices, systems and networks are patched regularly is absolutely crucial to this.
- Reduce admin accounts – trust us, you almost certainly don’t need as many admin accounts as you have. Following the principle of least privilege (POLP) is a good starting point. Reduce admins to the minimum required and reduce rights of admins to the minimum required. Remember not all admins will need the same access rights.
- Reduce your technology footprint – technology is often touted as critical to improving cyber security. And there are certainly some brilliant tools out there. However, be sure to review your tech stack regularly and make sure you actually need (and use!) everything you have. More technology means more things that might not be correctly installed or fully patched (and more tools that may have a zero-day exploit that patching can’t yet fix). That means a larger attack surface for threat actors to exploit.
- Read the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) – the NCSC’s CAF guidance lets you review your security posture holistically. It’s a good starting point to prioritise future investments in cyber security to plug your biggest gaps.
- Bring employees along with you – it’s important to benchmark and improve employee awareness. If you can create a no-blame culture then potential security risks get raised more readily by employees, without the fear of it impacting their standing at work.
Noble intentions create the best security posture
Good cyber security posture is all about taking action for the right reasons. If you’re motivated by supporting your staff, protecting your customers and creating good relationships with your suppliers then you’re already on the right track.
However, if your motivation is more about one of these factors then you’re off to a good start:
– Supporting your employees – Your staff’s data is as important as your customers’ so it’s important that it’s secure, first and foremost. After that though, ensuring the appropriate training and support is in place to maintain best practice across your business is really important. It helps prevent mistakes and means that when an issue does arise there is appropriate support already in place.
– Supporting customers – Everyone wants to know that the companies they are buying from treat the safety of their data seriously. If they don’t then they won’t buy from them. What’s more a company that has a solid security posture should be better placed to provide products and services more consistently. That’s because they are less likely to suffer down time or periods where they are unable to complete orders.
– Supporting suppliers – Again, companies should want to protect data belonging to their suppliers. It’s part of maintaining a good relationship and ensures that the supply chain remains intact.
– Growing the business – When conducting business online, a strong security posture is increasingly important for individuals and businesses alike. From something as simple as the padlock in your browser window, to more complex requirements for businesses looking to engage in large scale technology projects good practice when it comes to cyber security is increasingly providing a competitive advantage.
All of these principles are what form the backbone of iomart Security. If you’d like to know more about how you can improve your business’s cyber security posture, then please get in touch.