For security initiatives to be effective, organisations need to know the threats to their business operations and understand the risks. In a technology-led world, many organisations focus on the security of the technical environment and take a traditional approach to identify their vulnerabilities using scanning tools and penetration testing. To achieve a pragmatic balance of technical testing and holistic cybersecurity governance, initiatives should consider the whole organisation and encompass people and processes as well as technology.
Typically, for an organisation to test their security, it’s often considered best practice to start at the outside of the environment and work your way in – this way, organisations can deal with what is often considered most important, the external threat. But what about protecting what really matters, the data, and how to protect this from what is often ill-considered, the internal threat. Malicious or non-malicious, experience shows that insider threats are often more commonly responsible for organisational breaches.
Even before understanding the detail of their cyber risks, organisations are best positioned to protect themselves by carrying out the basics well. Often referred to as ‘cyber hygiene’, routine tasks such as patching vulnerabilities and keeping software up to date, training staff on the importance of information and data security and considering security within normal business processes all give organisations a fighting start.
However, these can often be the most difficult to execute due to the dependency’s organisations place on resilient operations. To ensure that threat mitigations are effective, organisations should implement pragmatic, manageable, security controls that are based on risk. There are a range of recognised control frameworks including the NIST Cybersecurity Framework and ISO 27001, but what is most important is that control implementations are embedded within business-as-usual activities to create a robust and efficient security culture.
One area that is consistently neglected relates to identifying and managing risks within the supply chain, particularly in understanding the dependencies organisations have on third parties and how the services they provide can impact on business operations. With more organisations adopting an outsourcing model, it is essential that this is governed by a robust third-party assurance programme to manage the related risks.
Alongside control implementation, organisations should decide on appropriate measurements and metrics to benchmark improvements and continue the management of an acceptable level of risk.
Make sure security controls work together – by using vulnerability scanning tools and manually-led penetration testing to identify and remediate weaknesses; organisations can identify trends that can be used to inform changes to business processes to prevent reoccurrence. These can also be used as opportunities to educate key stakeholders by conducting regular, targeted, security awareness, either through ongoing security training or, for more mature organisations, by considering simulated phishing attacks or red teaming activities.
From SureCloud’s recent surveys and broader experience, security culture mostly relates to identifying what is ‘normal’ within an environment and implementing controls to detect that which isn’t. It is vital to define incident management plans and playbooks for responding to incidents and events and ensure these are tested using walkthrough’s and simulated exercises to gain the assurance they are robust.
But most importantly, ensure that all stakeholders are considered throughout the security lifecycle – from operational teams to senior leaders, security culture needs to be considered for every area of the business.