How to test your organisation's security effectively and take measures to protect yourselves.

The cyber threat landscape is changing rapidly, mainly due to the significant increase in attention from threat actors seeking to benefit from a breach or compromise for an organisation’s data. This has led to a change in an organisation’s appetite and tolerance for managing cyber risks and, more so, the need to understand their cyber risk exposure. From identifying their existing cybersecurity posture, organisations need to prioritise which risks are most important, particularly when considering the provision of effective remediation activities.

SC Magazine speaks to Craig Moores, Risk Advisory Practice Director at SureCloud to gain his expert insight. Here are his comments in full:

So, what can organisations do to combat this threat?

For security initiatives to be effective, organisations need to know the threats to their business operations and understand the risks. In a technology-led world, many organisations focus on the security of the technical environment and take a traditional approach to identify their vulnerabilities using scanning tools and penetration testing. To achieve a pragmatic balance of technical testing and holistic cybersecurity governance, initiatives should consider the whole organisation and encompass people and processes as well as technology.

Typically, for an organisation to test their security, it’s often considered best practice to start at the outside of the environment and work your way in – this way, organisations can deal with what is often considered most important, the external threat. But what about protecting what really matters, the data, and how to protect this from what is often ill-considered, the internal threat. Malicious or non-malicious, experience shows that insider threats are often more commonly responsible for organisational breaches.

With this in mind, how do organisations take measures to protect themselves?

Essentially, by starting with the basics.

Even before understanding the detail of their cyber risks, organisations are best positioned to protect themselves by carrying out the basics well. Often referred to as ‘cyber hygiene’, routine tasks such as patching vulnerabilities and keeping software up to date, training staff on the importance of information and data security and considering security within normal business processes all give organisations a fighting start.

However, these can often be the most difficult to execute due to the dependency’s organisations place on resilient operations. To ensure that threat mitigations are effective, organisations should implement pragmatic, manageable, security controls that are based on risk. There are a range of recognised control frameworks including the NIST Cybersecurity Framework and ISO 27001, but what is most important is that control implementations are embedded within business-as-usual activities to create a robust and efficient security culture.

One area that is consistently neglected relates to identifying and managing risks within the supply chain, particularly in understanding the dependencies organisations have on third parties and how the services they provide can impact on business operations. With more organisations adopting an outsourcing model, it is essential that this is governed by a robust third-party assurance programme to manage the related risks.

Alongside control implementation, organisations should decide on appropriate measurements and metrics to benchmark improvements and continue the management of an acceptable level of risk.

How do these activities form part of an ongoing security culture?

Make sure security controls work together – by using vulnerability scanning tools and manually-led penetration testing to identify and remediate weaknesses; organisations can identify trends that can be used to inform changes to business processes to prevent reoccurrence. These can also be used as opportunities to educate key stakeholders by conducting regular, targeted, security awareness, either through ongoing security training or, for more mature organisations, by considering simulated phishing attacks or red teaming activities.

From SureCloud’s recent surveys and broader experience, security culture mostly relates to identifying what is ‘normal’ within an environment and implementing controls to detect that which isn’t. It is vital to define incident management plans and playbooks for responding to incidents and events and ensure these are tested using walkthrough’s and simulated exercises to gain the assurance they are robust.

But most importantly, ensure that all stakeholders are considered throughout the security lifecycle – from operational teams to senior leaders, security culture needs to be considered for every area of the business.

SureCloud’s final thoughts and key takeaways:

• Understand the threats posed to the organisation and identify the risks. To achieve a balanced approach, organisations should target security controls that include people, processes and technologies – including key third parties.
• Adopt a blended approach to security management that improves the maturity of the whole organisation.
• Don’t try to solve all of the problems at once! Begin with high priorities and/or quick wins and aim for a higher level of overall security effectiveness as opposed to pockets of strength.
• Don’t re-invent the wheel – security initiatives are most effective when the organisation considers these to be a part of their business-as-usual activities.
• The most effective controls are those that originate from and develop, organisations’ people.
• Measure the effectiveness of controls and identify and implement improvements where required.
• Plan for disasters so that incidents don’t become a disaster.