When you mention cyber security, thoughts generally focus on perimeter security; breach prevention, firewalls, email protection, anti-malware software, anti-spam, anti-phishing – all primarily preventative technologies.
In fact, according to IBM, a typical enterprise will have on average 70 security technologies from up to 40 different vendors. And yet, the number and extent of breaches continue to rise. The 2017 Breach Level Report shows that 2,600,968,280 records were compromised in that year - in 1,750 incidents. That equates to over 7 million records per day.
All these security technologies are a required part of your organisation’s security strategy, but in themselves they are not enough. You must accept that despite these threat prevention technologies, you have been breached and you will be breached again.
John Chambers ex-CEO of Cisco said: “There are only two types of companies – those that have been breached and those that don’t yet know they have been breached”. As an industry we must shift from a sole focus on prevention to an all-encompassing framework for security. Easier said than done, you are thinking! But there are frameworks to help.
The USA-based NIST (National Institute of Standards and Technology) Cybersecurity Framework, provides organisations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents.
The Framework provides an approach to prioritise cybersecurity resources, make risk decisions, and take action to reduce risk. It enhances cybersecurity communication within an organisation and with other organisations (such as partners, suppliers, regulators and auditors) and helps organisations identify, manage and assess cybersecurity risks.
The NIST Cybersecurity Framework consists of 5 main pillars.
Organisations must develop an understanding of their environment to manage cybersecurity risk to systems, assets, data and capabilities. To comply with this pillar, it is essential to:
- have full visibility into your digital and physical assets and their interconnections
- have defined roles and responsibilities
- understand your current risks and exposure
- put policies and procedures into place to manage those risks
Organisations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. To comply, your organisation must
- control access to digital and physical assets
- provide awareness education and training
- put processes into place to secure data
- maintain baselines of network configuration and operations to repair system components in a timely manner
- deploy protective technology to ensure cyber resilience.
Organisations must implement the appropriate measures to quickly identify cybersecurity events. The adoption of continuous monitoring solutions that detect anomalous activity and other threats to operational continuity is required to comply with this pillar. Your organisation must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyse and prevent cyber incidents in ICS networks.
Should a cyber incident occur, organisations must have the ability to contain the impact. To comply, your organisation must
- craft a response plan
- define communication lines among the appropriate parties
- collect and analyse information about the event
- perform all required activities to eradicate the incident
- incorporate lessons learned into revised response strategies.
Organisations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Your organisation must have a recovery plan in place, be able to coordinate restoration activities with external parties and incorporate lessons learned into your updated recovery strategy. Defining a prioritised list of action points which can be used to undertake recovery activity is critical for a timely recovery.
Following these guidelines will keep you on the right track and minimise your risk. And working with a cyber-security partner who can help you rethink your approach is perhaps also worth considering.