What does good prevention and response look like? How do organisations need to evolve their awareness? How can they develop practices and solutions to become better and more proactive at protecting themselves from a cyber-attack? Our expert panel identified seven initiatives that will help businesses lay the foundation for creating an effective cyber-safety culture.
1 Know where you stand
At a recent event on cyber security, senior managers from financial services responded to a poll on how prepared their organisations were for a cyber-attack. The majority of their organisations (65%) considered they were prepared to combat cyber risk with technical security controls such as firewalls. In contrast, it was thought that just under 22% of businesses had the correct policies and procedures in place. Where most businesses seem to be least prepared, is in their awareness of security risk and in the training of staff. Poll respondents also held the perception that there is distinct lack of leadership, skills and budget when it comes to cyber security. Key to solving the problem is finding out where you stand, how prepared you really are and what solutions you need.
2 Make someone accountable
Firms need to elevate the importance of appointing someone to manage their cyber security programme. There is a lot of information out there. Regulation is changing all the time, making it more challenging than ever before to manage across the whole firm. Appoint someone to get their head around the whole picture and hold them to account; someone needs to go out and gather all the data, find out what is going on and then brief the board. Until you have a dedicated individual looking at what projects need doing and managing, and maintaining contracts, there is no point looking at the solutions. The person who is appointed will need to develop some real scenarios as well as hear and share information with the right stakeholders. They don’t need to learn everything themselves, but they do need to have an overview of everything that is going on.
Don’t forget the board’s responsibility either. They have a responsibility to the shareholders, the business, its intellectual property – to the brand, and will be in breach of their statutory duties if they didn’t take responsibility too.
3 Master the basics
It’s not enough that leaders in the boardroom are aware of the risks. It’s about creating a cyber-safe culture. The vast majority of cyber security breaches are down to people getting the basics wrong, whether that is a security policy, perimeter security, mobile device encryption, anti-malware, out-of-date software patches or a good back-up. There are firms that still run their servers in their office and only 5% of the company’s backups work 95% of the time. Firms shouldn’t get distracted by the latest cyber technology or solution; the most effective ways to reduce and prevent cyber risks are to get basic security controls working consistently
If they are in place, are they being measured and acted upon?
4 Be aware, be prepared
In the same way that you wouldn’t just let anyone in your office, you should be really careful about the emails you open and even emails you send. How many of us have sent emails to the wrong person? The autofill pulls in a different email address, and all it takes is that pause to check it is begin sent to the right person. The key is to be prepared. Start by thinking about the easy things we can do that will improve our chances of being secure. Employees who travel should be encouraged to shred their luggage tag when they travel. It contains their passport number, frequent flyer mileage, home address, places they’ve travelled to and when. All of it is data that makes them vulnerable to a personalised attack. We can reduce that by being a bit smarter with technology, our processes and people.
5 Learn to spot unusual patterns
Employees need to become better at spotting strange patterns and unusual email activity, so that they can become better and more proactive about staying safe. One director found he had been subject to a very careful spearphishing attack when he walked back to the office after having coffee out with a colleague. They had talked about training and by the time he had got back to the office, half an hour later, there was an email in his inbox from the colleague he had been out to coffee with saying: “Here is the training we talked about. Can you open this and see what you think?”. He was very close to opening it but didn’t. There was something about the tone of the email that was way too formal to have come from his colleague that make him suspicious.
6 Create your playbook
Make sure you have a silent playbook that you initiate when you have a major cyber breach. Get the crisis team together and simulate the attack. Treat it in the same way you treat a major disaster for your business such as the whole place catching fire or your data centre going down. Do that on an annual basis. Doing simulation desktop exercises with everyone involved in the business will help you work through and be prepared as best you can. Have people know exactly what their roles and responsibilities are. Who is going to deal with the media? Who will inform the ICO and when? When do you need to inform customers? Are they getting the same coherent story?
7 Engage with risk
Working with Financial services, we hear a lot of talk around how to manage response, how to reduce risk and who is going to get fired. The bottom line is that we need to change how we engage with risk in our business. We need to be stunt professionals not security guards. A stunt professional’s job is to engage with the risk in a controlled way. They don’t see to eliminate risk altogether. At the end of the day, someone is going to have to jump out of that plane. It is all too easy for security experts to have a different attitude to risk by trying to eliminate it as much as possible and doing more and more to avoid engaging with risk.
Understand that it’s all about when you are going to get hacked and what you do when it happens. Businesses tend to put lot of emphasis on disaster recovery for traditional risks and less so for untraditional risks. Picking that cyber incident up and working it through is hard but there are enough examples and scenarios we can learn from so we can be a little bit more prepared in dealing with them.
The right leadership and management to deal with cyber security, engaging with risk in a controlled way, and combining changes in behaviours and awareness with good technology are all critical to developing the practices and solutions to keep the business cyber-safe and give rapid and effective response in the event of a breach.
Get in touch
Lanware’s expertise in cloud technology for FCA-regulated business means we understand the regulatory context you operate in and the security levels and oversight it takes to manage risk and regulation. Our range of enhanced security services enables your compliance, lowers your risk and gives you auditable evidence to reassure your partners and investors that your security controls are fail-safe.
