The Expert View: Building a cyber-resilient organisation

Cyber-attacks have increased exponentially in recent years said Tristan Morgan, Managing Director of BT Security, opening a TEISS Briefing at the House of Lords. He said attacks are increasingly targeting small and medium businesses, which are the bedrock of our economy. The challenge is how to build organisations that are more resilient in this new landscape.

Yaroslav Rosomakho, VP and CTO in Residence at Zscaler, said that comprehensive defences are key, but he warned that attackers are increasingly finding creative ways to get around defences. They might use a DDOS attack, for example, as a smokescreen to create stress in the target organisation and make their primary goal harder to detect.

Attendees, all senior executives from a range of sectors, agreed that the challenges facing organisations today are complex and growing, but said they are working to constantly improve their defensive strategies.

Identifying challenges 

 
A significant challenge, according to many at the briefing, is the volume of data that companies generate and rely on. This must be secured, backed-up, and available to restore after an incident. That can be expensive, and it isn’t easy to know that it has been done right.

Another issue is the growing attack surface businesses must protect. This includes things like more employees using devices at home or remotely, and the spreading network of third party suppliers. These companies sometimes use their own third parties to carry out work, which can spread the risk even further.

Attendees also discussed the difficulty in knowing where you will recover to. It can be hard to know when a system was compromised so a backup might take you back to a state that is still compromised.  Furthermore, your systems might be unavailable because investigators are searching for evidence they can use to trace the attackers or support an insurance claim.

Increasingly, attackers are using artificial intelligence (AI) tools to gain an advantage, those at the briefing said. This could be as simple as using it to write more convincing phishing emails. Attendees said they had not yet explored using AI defensively, though some said they could imagine it powering greater SOC automation in future.

Assessing risk 

 
The first step in managing these risks is to define the organisation’s culture, those at the briefing said. For example, in a law firm the senior lawyers are partners who own the business, so IT must work with them as an enabler, encouraging good security rather than demanding it. In contrast, an attendee from a financial services company said that, as a regulated business, his company had everything locked down and took a zero-tolerance attitude to breaches.

Regardless of the culture and risk appetite of the business, resilience cannot just be an IT responsibility, attendees said. It must involve the entire organisation. With that in mind, attendees recommended a multi-pronged approach, combining internal marketing, training and communication with the board. One suggestion for getting the board to understand the importance of the issue is to bring in a speaker with experience of a breach, particularly one who can detail things like the mental health impact of a breach on staff.

Of course, all of this should be underpinned by a solid technical and procedural framework. Those at the briefing use different frameworks, but several recommended NIST as a good option.

Whatever its culture and risk appetite, every business must determine the essential services needed to run things after an incident - and the order in which they must be restored. For example, there will be several IT processes that have to be running before customer-facing services can be restored. Determining the priority and the order is best accomplished through a tabletop exercise, one attendee suggested, with all the key stakeholders present.

Sharing knowledge

However, those services will be nothing without the company’s data. Several attendees emphasised the importance of immutable backups and one mentioned the importance of the 3-2-1 rule, which states that there should be three copies of the data, on two different media types, and with one stored off-site.

There is a lot to think about and all of it should be overseen by a good governance system that ensures progress is measured, systems are tested, and improvements made. Attendees suggested that systems should be tested monthly but, for cost reasons, many organisations often test just once a year.

It’s a lot for any organisation to manage, and attendees recommended tapping into networks of experience to learn from others. Industry forums exist for CISOs to share best practice, and these can be a safe space for exploring difficult questions.

Mr Morgan said that this kind of collaboration can be a valuable tool for improving resilience. He said: “It needs everyone to come to the table and be prepared to share. We need to ask how we can be resilient as a community.”