Anyone that you talk to about cyber risk will probably try to provide you with ways to reduce it, but how do you work out how much at risk you have in the first place? What is the point of providing solutions to a problem when you don’t properly know what the problem really is?
Organisations that need to have an ability to demonstrate their cyber resilience go for a certification known as ISO 27001. This is not an easy thing to get and tends to involve lots of pretty fundamental changes to how everything happens. The process that they go through can be summed up in three stages:
- Find Issues: Measure where the organisation is. Usually this is called a gap assessment; the “gap” being the gap between where they need to be, and where they are.
- Fix Issues: Fix the problems found in stage one in a structured and recorded way, so that they stay fixed. This is done by adding “controls” which are remedies to the issues found. This is then all arranged in an ISMS (Information Security Management System) so that the security practices can be monitored and maintained.
- External Audit: An external auditor comes and checks a few aspects of the ISMS and organisational practices. If all is well, an ISO 27001 certificate is issued.
The journey for arriving as an ISO 27001 certified organisation is neither easy nor cheap, hence it is far from being for everyone. However, there are some things that we can take from it, such as the basic ideas behind how it is implemented.
If we start off simply then we need to do our own three stages:
- Find Issues: You may need some external help with this, but basically, you work out a list of potential things that could happen to your organisation and mark them with a score of how severe it could be if those things happened, and then how likely it is to occur. Here are a few examples to help you get your list started:
a. Phishing attacks or other social engineering leading to either ransomware or BEC (business email compromise). Severity – 5/5: Likelihood – 3/5
b. Usernames and passwords involved in data breach. In this example, these credentials are used for multiple different logins so this could be a significant threat. Severity – 5/5: Likelihood – 4/5
c. Organisation does not use MFA (multi-factor authentication) and login credentials are compromised. Severity – 5/5: Likelihood – 3/5
d. Unencrypted portable media such as USB drives are in use for data transfer, and one gets lost / stolen. Severity – 5/5: Likelihood – 1/5
e. Users and administrators do not use passwords of at least 8 characters, a brute force attack was able to log into network. Severity – 5/5: Likelihood – 3/5 - Fix Issues: Take your list and your scores, then multiply them out. For example point #a above is 5 for potential severity and 3 for likelihood: this means that the score is 15. You will need to take a view of what you are going to address, so you may decide that anything with a score over 9 needs dealing with, so point #a would need a “control” to remedy it. Here are some suggested remedies / controls for the listed examples:
a. Score of 15: Implement ongoing security training including phishing simulations so that your users can spot this sort of thing and do not fall for such social engineering.
b. Score of 20: Implement a secure password manager and a policy of not reusing login credentials. This way in the event of a data breach where such credentials are exposed, the impact is limited to one login and can be dealt with fairly easily.
c. Score of 15: Implement MFA in all systems capable of supporting it. If Keeper Password Manager is used for control #b above, MFA can be included which reduces the inconvenience to users.
d. Score of 5: Although the score is low, this is not ideal. This can be remedied by using secure alternative systems to transfer information.
e. Score of 15: Implement a policy of only using long, complex passwords. Use of a password manager as specified in control #b will make this much easier. - Schedule Reviews: Make this activity of reviewing risks and implementing controls an annual event at a minimum.
The above process will potentially be of use to smaller organisations in the assessment of what to fix. Remember that the list is far from extensive and should be added to. Don’t be afraid to ask for help with this process; a little money spent now could save you fortunes later.
I would urge all organisations to consider implementing Cyber Essentials and perhaps Cyber Essentials Plus. These government schemes have been designed to help you make your organisation far more secure.