Lastest news

Making your business cyber resilient

Oct 11, 2018

With spending on cybersecurity products expected to top the $113 billion mark by 2020 and reports of data loss making the headlines almost daily, why in the age of mature cybersecurity products do large-scale breaches continue to happen?

Cyber-criminals are employing tools of increased complexity and deploying them in sophisticated ways, using the same level of organisation, artificial intelligence and machine-learning solutions that security professionals aspire to possess.

The emergence of super-strength encryption on readily available communication apps and the layered security model of the ‘dark web’ mean the potential for detection has decreased dramatically.

A Distributed Denial of Service (DDoS) attack can be hired for as little as $7.00 per hour, with the costs of mitigation estimated at over $100,000 per hour. Incredibly, this makes the cost of performing an attack similar to that of going to see a movie. This has created a lucrative ‘gun for hire’ marketplace on the internet. Distance, time of day or innocence of the target has no relevance if the price is right and a return on investment can be realised. Making money is the real motivation behind current cyber-criminal activity.

Cyber resilience

The apparent failure to explicitly identify and manage risks around cybersecurity, while noting the need to embrace emerging technology, might suggest a potential misdirection of effort and resources when dealing with the risks and opportunities around the application of technology within the business environment. Evolving from traditional models is a different way of considering the overall approach to securing our assets, designed to reduce the risk of a ‘hit’, whichever direction it comes from. This approach is called cyber resilience.

Cyber resilience is the ability to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events online. Cybersecurity is a key element of resilience, but cyber-resilient organisations recognise that operating safely in a digital environment goes far beyond just purely technical measures. By building an end-to-end understanding of cyber risks and threats, and aligning them to business objectives, businesses are able to take the appropriate measures to protect their digital assets and maximise the opportunities available online.

Cyber resilience also creates opportunities to increase the security awareness of staff, management and the board to reduce their riskier behavioural elements, creating a clear line of sight between business objectives, digital strategy and cybersecurity implementation.

Practical steps

As a starting point, board members should consider the following areas of focus. A number of steps can be taken with a minimal incremental cost:

Identify critical assets: both key systems and information assets. It is essential to understand what you are trying to protect and make investment decisions on cyber defence based on the most critical assets.

Risk assessment: a risk assessment will help to understand how the threats to our assets are currently managed, and identify and prioritise further mitigating actions while ensuring an ongoing focus on the issue at board level.

Incident response: consider how critical identified key systems are to your business and, in the event of an attack or disruption, how quickly you would seek to restore them. Critical systems should be prioritised. The minutes and hours after an event are critical.

Review your own general IT control environment: from maintaining up-to-date policies and procedures, through to regularly reviewing access, user rights to the network and key applications. Consider limiting the use of removable media. All laptops and removable media should be encrypted and regularly scanned for malware.

Staff awareness: staff are a critical element of cyber defence, particularly in relation to attempts at cyber fraud or theft, phishing, data theft, corruption or transmitting malware. Ensure they understand corporate policies covering the acceptable and secure use of IT equipment.

Network security: seek support from IT specialists to ensure robust network access protocols (including user/device authentication) and defences, such as firewall, antivirus and anti-malware. All systems and networks should be continuously monitored for unusual activity or attempted/actual attacks.

System updates and security patches: ensure that system software updates and security patches are processed as they become available.

Data management: cyber attacks often target company data, either to corrupt it, steal it, or demand a ransom. All companies should take stock of their data management policies, procedures and processes (and indeed, only hold essential data), and reinforce controls to ensure secure data storage.

Cloud-based services: care should be taken to obtain assurance from third-party cloud providers (with their obligations being embedded within contracts), particularly with regard to business continuity, security of systems and data, and timely reporting of any attempted security attacks.

Mike Daughton is a Partner in Risk Consulting and Tony Hughes is an Associate Director in Cyber Security Services in KPMG in Ireland. Tony is also lecturing on the Certificate in Cyber Security and Data Incident Management course in Chartered Accountancy Ireland. More details can be found here.