Following their panel session at Infosecurity Europe 2023 on cyber security risks and companies’ readiness, Steven Furnell (Professor of Cyber Security, University of Nottingham), Ian Hill (Director of Information and Cyber Security, UPP) and Laure Lydon (Senior Director, Security Governance and Assurance, Babylon) share their thoughts on some key questions relating to the management of cyber risk.
How Can You Proactively Manage Risk? What About Sector Specific Risks?
Information security is about managing risk, and so a prerequisite is to recognize the risks we face. However, understanding their risks is challenging for many businesses, with the UK Cyber Security Breaches Survey 2023 suggesting that only a third have undertaken cybersecurity risk assessments in the past year (rising to just under two-thirds for large businesses).
Some organizations may benefit from thinking less about an ‘annual risk assessment’ and more about continuous assessments. Not only can risks be missed when conducting a point-in-time assessment, but it can also be more effective to embed security risk management into all organizational management processes.
In practice, understanding of risk varies across sectors, primarily due to differing degrees of digital maturity and risk exposure; the construction sector, for example, has a very different risk profile than that of the finance sector, which is more digitally mature with lower risk tolerance thresholds. Common across all sectors, however, is an increasing trend in supply chain risk, with ever greater reliance on third parties and outsourcing.
Supply chain risk is an area where risk can be managed proactively through robust due diligence, yet many organizations find it challenging, with only 55% of large businesses (and just 13% of UK businesses overall) reviewing risks posed by their immediate suppliers. Unfortunately, if you don’t look, there’s a good chance that you won’t see.
Does Compliant Really Mean Secure?
The short answer is no. Compliance doesn’t guarantee good security, but good security will help to ensure compliance. Security standards are great frameworks to set guiding principles and give a general level of assurance, but we need to beware of false assurance.
Being compliant typically means having some baseline measures in place. Examples include achieving the UK’s Cyber Essentials certification or compliance with wider standards such as ISO27001. However, as with risk assessments, the picture emerging from the breaches survey shows low adoption. For example, even among large businesses (often with the most resources and potentially greater cause for compliance), only 33% claimed to meet Cyber Essentials, while 27% claimed compliance with ISO27001.
Unsurprisingly, the picture is bleak when looking at the overall business population, at just 5% and 9% compliance, respectively.
At the same time, not all standards are made equal, and it is important to use the right ones for the right jobs. For example, Cyber Essentials may prove useful for small and medium-sized organizations but less effective as a measure of good security for larger organizations. Similarly, different standards may be better suited to address varying risk profiles and industry requirements. For this reason, we often see businesses develop their own security frameworks from a hybrid of different standards, commonly combining ISO27001 and NIST CSF.
It’s important to recognize that most certifications are point-in-time assessments, and as with any snapshot, things change over time. The threats organizations face can shift, new vulnerabilities emerge constantly and control implementations can be affected by changing internal and external factors.
Standards can also lag a long way behind emerging threats. For example, it took nine years for the latest ISO27001 standard to include a specific control requirement relating to Data Loss Prevention (DLP). Therefore, any security strategy based on ISO27001 compliance may have overlooked the importance of DLP until 2022.
Another danger of a compliance-led approach is the potential for security programs to become arbitrary box-ticking exercises, which can distract from good security. Whilst it is vital to ensure that security fundamentals and good security hygiene are obsessed over, beyond this, it is important to focus on protecting the most valuable, exposed and vulnerable assets rather than trying to give all controls blanket coverage and directing resources to tick boxes. Knowing what these valuable and vulnerable assets are points back to the need for appropriate risk assessments.
Does ‘Readiness’ Automatically Mean Agile?
Not necessarily – the two are related but not synonymous. The threat landscape is changing so quickly that predicting how an attack will play out is becoming increasingly difficult. Even with useful tools like the Mitre Att&ck Framework for guidance, Von Moltke’s military maxim “no battle plan survives contact with the enemy” stands true in our world.
The biggest risk is always “you don’t know what you don’t know,” with a trending shift of emphasis from ‘prevent’ to ‘detect & respond,’ because as hard as you try, you can’t prevent every scenario, even the ones you know about. ‘Readiness’ therefore requires a level of agility to adapt, detect and respond effectively as events unfold.
In the same way, readiness should also be synonymous with resilience. Readiness requires a deep understanding of organizational information assets, a good view of threats, identification of risks and measures to mitigate them; a combination of good asset, risk and control management should emerge as a result.
In the Current Economic Climate with Rising Inflation and Cutbacks, What Impact is this Having on Businesses’ Readiness?
Many businesses are under huge pressure to cut costs, with inflation pushing up wages, and high energy and raw material costs etc. The Breaches Survey suggests that some organizations, especially micro-businesses, are cutting back on security. There has been a decline in basic cyber hygiene measures (e.g. up-to-date anti-malware, patch management), which can shift the balance further in favor of threat actors.
Some businesses are potentially losing sight of the fact that security protects and increasingly brings value. Instead, it is often seen as an expensive overhead ripe for cutbacks. With the ever-increasing threats and compromises, now is not the time to cut back on security. It is time to examine how effectively you are using your existing capability and ensure you are utilizing the technology and services you already have to maximize effectiveness and value for money.
What Advice Would You Give Organizations Looking to Adopt Best Practices?
Consider what is appropriate and achievable. Look at what others in your sector are doing. Security should always be aligned with the business’s goals and objectives, which goes back to understanding your risk profile, and the threat landscape as it applies to the sort of business you are in.
With a well-defined risk appetite and risk tolerance thresholds, you can start looking at which security best practices and technologies are most appropriate for your business, potentially using a methodology such as SABSA to help you do this. It is advisable to focus on the hygiene basics before setting other priorities. In the Breaches Survey, only 14% of businesses had heard of the NCSC’s 10 Steps to Cyber Security, suggesting that their chances of following the full set of recommendations were limited. With scarce resources, we need to be able to apply standards in a way that promotes good security. When implementing controls, prioritize deploying resources where the dial is shifted most.