The recent ransomware attack on Amey rattled nerves in the construction industry. Amey’s response to the breach was seemingly responsible, but when all is said and done, it was largely a case of shutting the stable door after the horse had bolted. So how can you avoid the same thing happening to you?
Fix obvious points of exposure fast
Before you think about your long-term approach to cyber security, act now to address immediate points of exposure that could leave you vulnerable to attack. Here are five basic cyber defences you should make sure are implemented straight away.
Note: The way in which you address the points below may alter depending on the technologies you use (such as Cloud services), however the principles remain the same!
Plan and execute your longer-term cyber security strategy
Once you have assurance that you’re applying basic cyber security disciplines, step back and plan your longer-term cyber security strategy. For most organisations, this will likely require expert input to map out a pragmatic approach that fits the risk profile of the business. Experience tells us that there are some key features to get right.
Be guided by the risk: Many organisations make the mistake of trying to boil the ocean when it comes to cyber security. This can prove costly and ineffective. Identify the information that’s valuable to you and protect it accordingly. For critical information, apply additional levels of protection (such as dual-factor authentication or encryption). Deliver risk reports to management that help them make decisions based on the most important risks.
Recruit the Board: Your cyber security strategy won’t succeed unless it has the backing of the Board. Do they understand the true extent of the cyber threat? Are they equipped to make decisions about cyber risk? Have they approved enough budget? Have they appointed a senior individual to take ownership of cyber security?
Apply structure: Your cyber security capability won’t be effective if it’s applied piecemeal. A good security governance approach features clear policies and standards at the top, supported by ‘how to’ guidance describing how the business should comply on a daily basis. This also provides a common structure against which you can measure compliance over time.
Don’t forget about your suppliers: Cyber criminals will often target an organisation’s supply chain as an ‘easy way in’. Work closely with Procurement and Legal to ensure that suppliers apply a minimum level of security that reflects the nature of the relationship.
What happens if you suffer a cyber breach?
Even the most cyber-mature organisations get hit. If that happens, it’s all about keeping the business running whilst minimising damage. Here are some basic measures that will help you know you’ve been hit, and then recover.
System monitoring: Will you know if your systems have been breached? Ideally, you’ll want to find out before a client or external authority notifies you. Strange symptoms might give you a clue that something’s up (users locked out, random popups, unexpected software installation being but a few). But remember it’s possible to be breached and know nothing about it for an extended period. The purpose of spyware is to lurk unnoticed to gather valuable information (such as login credentials) over time. While security software will often notify you if something is wrong, you should have a good helpdesk that can act on anomalous activity reported by users. For critical systems you might wish to explore more specialist software or monitoring services.
Up-to-date Backups: Is important data backed up automatically to a separate environment on a regular basis, and have backups been tested? Recovering your systems quickly in the event of them being rendered unavailable is critical. If you have recent backups that haven’t been compromised by the breach, you’re far more likely to be able to recover swiftly. In the case of ransomware, the hacker will usually encrypt sensitive data and then demand a ransom in return for decrypting it. Up-to-date, unaffected backups will go a long way in helping you to recover.
Business Continuity Plans: Is there a plan in place that details how the business should respond if an incident occurs? Many large companies will have sophisticated plans in place, but even a basic set of recovery actions (along with a contact list of numbers for senior managers) will help everyone stay level-headed and enable the business to respond. Don’t forget to include liaison with relevant authorities (such as the Information Commissioner’s Office and Police) who will need to be informed in the event of a data breach.
While cyber security can be daunting for some, no business can afford to ignore basic cyber protection measures. Building on these to implement a risk-based approach to cyber security – that becomes ‘business as usual’ over time – will pay dividends in the longer term.
If you would like to arrange a one-to-one phone call with CRMG to discuss your current cyber security arrangements and cyber security strategy, please contact us at info@crmg-consult.com.
About the author
Simon Rycroft
Co-Founder & Director, CRMG
simon.rycroft@crmg-consult.com