As cyber attacks continue to increase in scale and severity, organisations need to invest more in defences – whether technological solutions, staff awareness training or revamped compliance practices. However, if those defences aren’t part of a cohesive strategy, the benefits will be minimal.
Developing and maintaining the ability to withstand the complex cyber security risks your organisation faces require a multi-layered approach. You need the right combination of physical, technical and administrative controls to safeguard your organisation even if one of those defensive layers is breached.
A cyber-defence-in-depth approach should comprise five stages: detection, protection, management, response and recovery.
Let’s look at them individually.
Understanding the cyber threats you face and where your cyber defences are most at risk of being breached is critical to securing your organisation. Most cyber attacks exploit two types of vulnerability: technical and human.
New technical vulnerabilities are discovered and exploited by criminals every day. Previously patched vulnerabilities can also be reintroduced into systems by updates and reconfigurations. This is why a programme of regular vulnerability scanning is a critical component of a risk-based approach to security.
Vulnerability scanning identifies security vulnerabilities in workstations, internal and external networks, and communications equipment. It is an automated activity that scans infrastructure targets for known vulnerabilities and misconfigurations, enabling you to bolster your defences where you most need to.
Human security weaknesses relate primarily to our innate susceptibility to social engineering, which is why cyber criminals are so reliant on phishing. Indeed, most malware finds its way into networks via phishing attacks – usually in the form of malicious emails that contain links or attachments that download malware.
Protecting your organisation from cyber attacks and data breaches is a complex undertaking. It is inevitable that some attacks will get past your defences, through threats such as zero-day attacks and well-designed phishing emails.
It is therefore essential to implement more robust cyber security controls and ensure you have appropriately trained staff to manage cyber security defences and breaches.
Not all organisations need to implement extensive security measures, but a base level of cyber security is essential to protect against automated attacks that seek to exploit common vulnerabilities.
Certification to basic security standards such as the Cyber Essentials scheme helps protect organisations from the most common cyber threats and demonstrate their commitment to cyber security.
When it comes to implementing the defences specific to the risks you face, penetration testing goes a step further than vulnerability scanning: experienced ethical hackers use the same techniques as criminals to assess your security vulnerabilities – either in isolation or in combination – and identify where your organisation is most vulnerable, enabling you to implement appropriate security controls.
For many organisations, managing cyber security risks requires a more intensive approach than implementing basic protections. Cyber security is, after all, an ongoing process, requiring continual evaluation, maintenance and revision.
This should include such measures as embedding risk-based security controls in corporate processes, managing the security of supply chains and carrying out regular audits to ensure security controls remain up to date.
ISO 27001 is the international standard for an ISMS (information security management system), a risk-based approach to information security that encompasses people, processes and technology. Independently audited certification to the Standard demonstrates to customers, stakeholders and staff that the organisation has implemented and maintains information security best practice.
Cyber criminals need to find only one weakness to infiltrate your systems, so it is essential to be prepared. The security measures you maintain should minimise the impact of a successful attack, but how you respond is critical to limiting disruption and costs.
Organisations need a robust BCMS (business continuity management system), combined with cyber security and data protection audits, and supply chain security to minimise the attack’s likelihood and impact.
Implementing cyber incident response management plans means you won’t waste valuable time when the worst happens.
Sometimes, recovering from a cyber attack or data breach can be far more disruptive than you planned for. More often than not, you will be able to restore enough critical services to be able to continue functioning, but it can take months to fully recover.
This is where disaster recovery planning is essential.
Where business continuity planning is more about ensuring your organisation’s core systems can continue to operate following a disruption, disaster recovery is about resolving that disruption to your systems so that your organisation can return to business as usual.
Disaster recovery plans are technical documents that use RTOs (recovery time objectives) and RPOs (recovery point objectives) to ensure the organisation is able to avoid catastrophic damage caused by a disruption escalating.
Cyber insurance (also called ‘cyber liability insurance’ or ‘cyber security insurance’) is also worth considering. It provides cover when you need it most, helping with the costs of recovery, but it tends to offer only limited cover, so might not fund your recovery completely. It should therefore be seen as a last resort to cover any residual risk that remains after you have deployed your incident response, business continuity and disaster recovery measures.
Whatever your resources or expertise, a defence-in-depth approach to cyber security will give you the best chance of mitigating the cyber security risks your organisation faces, so you can focus on your core business objectives without having to worry about coming under attack.
As CEO and founder of IT Governance Ltd, Alan leads the senior team and is responsible for delivering GRC International Group PLC’s strategy.
Before founding IT Governance Ltd in 2002, Alan held a number of roles, including CEO of Business Link London City Partners, CEO of Focus Central London and CEO of Wide Learning, the Outsourced Training Company, and was Chairman of CEME.
Alan graduated from the University of Witwatersrand in 1978 before moving to the UK. He has written a number of books about IT management, including the definitive compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002 (co-written with Steve Watkins), which is in its seventh edition and is the basis for the UK Open University’s postgraduate course on information security, and IT Governance – Guidelines for Directors.