The digital age has brought many benefits and opportunities to organisations, allowing transformation into new markets, building in areas of efficiency and resource, as well as introducing new methods of delivering product to end users. But during all this technical development, there has been a significant growth in the security issues facing organisations, which is why cyber security as an industry has grown significantly over the last few decades.
Often cyber security is viewed as an enterprise level service, affordable only by the top tier organisations with significant financial and human resource capability to derive true value from it. However, SME’s and start-ups are not exempt from cyber security challenges – if you haven’t already checked out our blog on the primary concerns from a data security perspective and how they affect SME’s, you can do so here.
In this week’s blog we will break down how an organisation can build out a cyber security strategy that is clear, repeatable and effective. Whether you are looking to improve your existing strategy, or starting from scratch, this guide should help you map out the key areas of focus to deliver success for your organisation.
Are you looking to develop a website, web or mobile application? Or looking to develop your brand image or logo design? Get in touch today at sales@digif9.co.uk to receive a completely bespoke proposal for your requirements!
WHAT IS A CYBER SECURITY STRATEGY?
A cyber security strategy consists of a series of high level plans for how an organisation will secure its assets – both physical and technical, and in doing so minimise the risk to cyber attacks from threat actors. There are two terms that are often thrown about – Policy and Procedure, where the distinction is important.
Policies are a series of high level plans and documents that outline what is permitted by an organisation. This could include an Acceptable Use Policy for devices, outlining what is permitted for users to do on corporate devices. A Procedure takes these high level requirements from a Policy and outlines how exactly they will be implemented and enforced, for example which users are responsible for administrating and auditing use of corporate devices in order to verify if the policy has been broken.
One of the biggest challenges in the digital world is that environments and technology is consistently changing, and in doing so Policies need to be regularly revised and updated. This highlights the need for them to be a living, breathing document, such as in Wiki format, or stored on a repository such as SharePoint to track changes and revisions. These strategies act as a blueprint for the organisation to guide key stakeholders in maintaining the overall security.
STRATEGY GOALS?
One failing of any strategy, or any high level plan for that matter, is not correctly setting goals. If goals aren’t correctly set, how can you truly judge performance? There are a number of different mechanisms available to set goals, a personal favourite of mine are SMART goals;
- S: Simple
- M: Measurable
- A: Achievable
- R: Realistic
- T: Time Based
Whilst Simple, Achievable and Realistic are definitely important, I believe the most important are goals are Measurable and Time Based. This helps you define exactly what you want to see over a specific time period – if you outline ten areas of focus for the next year and at the year-end review you have met seven of those objectives, from a high level you can see a 70% achievement in meeting those goals. This then allows you to reassess when setting the next set of objectives;
- Were these objectives realistic and achievable in that timescale?
- Do we need to provide additional resource to achieve this?
- Do we need to prioritise objectives moving forward?
Again, the last one is the most important. My years in the cyber security sector have taught me a very important lesson – time is a luxury that security professionals don’t have. Unless an organisation has significant resources available, including float or resources on the ‘bench’ so to speak for hectic times, it is likely that you will need to prioritise.
Prioritisation is most effectively completed using a risk assessment – again there are multiple frameworks here to use, but in my experience an Impact & Probability matrix is a really effective mechanism.
Here you quantify the Severity of an incident or issue occurring, and the Probability or likelihood that it could occur. These mechanisms aren’t always effective however, as the COVID-19 Pandemic will highlight – if an organisation was outlining their risks in January 2020, a pandemic would probably have been an incredibly unlikely scenario to occur! But using this matrix you should determine the overall Risk score per incident and use this as a basis to prioritise mitigation.
BEING PROACTIVE
Anyone experienced in the risk space will understand that being in a proactive camp is a much more stable and enjoyable environment to being reactive. In the cyber security space this couldn’t be more true – reactive security typically means an incident has already occurred and its panic stations. There could potentially be pressure from senior level staff, negative media attention and anger from clients – which all contribute to a highly stressful environment. In an ideal world we would be proactive, however this is not always easy. So how exactly can security professionals be more proactive in response to security challenges?
- Having a clear view of your organisational estate – both digitally and physically
- Conducting threat modelling to identify threat actors and methods of attack
- Periodically performing penetration testing, red & blue teaming exercises
- Using both internal and external reviewers and auditors
- Utilising threat intelligence sources to understand industry challenges
A proactive culture needs to be embedded throughout the organisation. Like a press in football if you have some players pressing high up the pitch, and others dropping off their marker the whole system breaks down. So, ensure that you are regularly training staff in security awareness and including them as an audience to threat modelling discussions to hit home how crucial these activities are.
TYPES OF CONTROLS
A control can be thought of as your mitigation mechanism – what you put in place in your procedures to deal with the issues raised in a policy for example. In order to maximise your insight into your organisation as a whole, it is highly useful to break down these controls into the following areas;
PHYSICAL
Exactly what it says on the tin. This focusses on the physical world (however limited this may be for some organisations). The key area to consider in this space is access to key buildings – offices, warehouses, storage facilities, etc.
Having CCTV surveillance, camera logs, smart card / key card access are all examples of physical controls that you can implement to deal with a physical security challenge. You can also use softer controls, such as security awareness training with staff to improve the security culture in response to this challenge – regularly checking if people in the building have an ID card or not allowing people to tailgate staff into buildings.
TECHNICAL
This focusses on the digital space, it may not always obvious to organisations what is included. Depending on your technical infrastructure, it could be on-premises hardware, cloud-based or a mix of both. Then within the cloud there are several different deployment models available. It is critical to understand the full extent of this perimeter, as well as who is responsible for what security – even in the cloud there are still areas that an organisation is responsible for.
Having firewalls, Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS), Multi-Factor Authentication (MFA) and Anti-Virus (AV) solutions are all examples of technical controls that can be implemented to prevent technical issues coming to light.
ADMINISTRATIVE
These refer to your policies, procedures and guidelines that are in place to define personnel or business practices that are aligned to the security goals of the organisation. Similar to physical controls, these controls can be implemented with your staff to improve the technical security.
This includes acceptable use policies and employee handbooks that can outline important behaviour that can improve security and reduce the risks stemming from negligence. It also focusses on areas such as separation of duties, data classification and an audit programme to ensure security throughout the organisation.
CONTROL METHODS
With these different control types covered in this section, it is also important to distinguish between the different methods in place for them. The three key areas to be aware of here are;
- Preventative Controls
Any security measure that is designed to proactively stop an issue or incident from occurring in the first place. - Detective Controls
Any security measure that is designed to identify or alert if an issue or incident occurs so that the organisation can react to it. - Corrective Controls
Any security measure taken to repair damage or restore resources to their previous healthy state.
INDUSTRY FRAMEWORKS
When building out your security strategy it is crucial to be wary of frameworks and regulations that your organisation is bound by – either due to industry or geographical location. Whilst there are a wide variety of regulatory bodies and standards, for the purposes of this blog we will call out a few to be aware of.
GDPR (General Data Protection Regulation) Straight off the bat, probably the one that most citizens of the UK and the EU are aware of – the data protection regulations for all citizens within the region. With the UK exiting the EU, it has brought into place the Data Protection Act (DPA) which complies with GDPR, meaning that for any organisation operating within the UK or EU, or processing citizen data is bound by these regulations.
ISO (International Organization for Standardization) An International standard setting body that contains representatives from various national organisations, with worldwide technical, industrial, and commercial standards. It is the largest developer of voluntary international standards, with voluntary being a key word here. Some of the other standards are mandatory and failure to comply can lead to a significant fine and legal action. With ISO there is no requirement to comply, but there are a few standards that are deemed to be ‘essential’ such as ISO 27001 for Information Security, ISO 22301 for Business Continuity and ISO 9001 for Quality Management.
PCI-DSS (The Payment Card Industry Data Security Standard) Set of requirements that govern how organisations processing payment card information must be conducted. Failure to comply can lead to financial penalties, as well as suspension from being able to process payments in the future.
SOX (Sarbanes-Oxley Act) Passed by the US Congress to protect the public from fraudulent or erroneous practices by corporations and other entities. SOX was enacted in 2002 in response to financial scandals, such as Enron and Tyco International, hence why the first SOX regulation SOC 1 is primarily focussed on the financial health and stability of an organisation. SOC 2 focusses on the security of customer data through five trust service principles, and SOC 3 provides an external validation that a SOC 2 report has been conducted accurately.
CONCLUSION
A cyber security strategy is an essential part of maintaining organisational focus on the overall security and ultimate availability to remain healthy and in business. The ramifications of not meeting key cyber security factors can be mission critical, and something an organisation may never recover from.
Each organisation is different and has their own risk appetite and threats to contend with, which makes this exercise so important. There is no out of the box solution that will make an organisation secure overnight – business context is very critical and it is the primary USP of a managed service provider offering a service in this space, as opposed to an out of the box software solution.
Are you looking to develop a secure website, web software or mobile application? Or looking to develop your brand image or logo design? Get in touch at sales@digif9.co.uk to set up a free consultation call.
