The pace, breadth and impact of threats in the cyber domain continues to accelerate. Global ramifications from cyber incidents were felt early and often in 2017. A group known as the “Shadow Brokers” released tools that disrupted businesses and impacted markets. Their actions led to a major disruption at the U.K. National Health Service from the Wannacry outbreak. A month later, Petya ransomware affected industries from pharmaceuticals (Merck) to transport (Maersk) through to oil and gas (Russian giant Rosneft). In early September, Equifax announced a major data breach which affected the personally identifiable information (PII) of more than 143 million people.
Cyber threats, however, did not stop with businesses. National elections in France were reportedly impacted by a massive data disclosure days before voters went to the polls. In the United States, 198 million voter records were found on an unsecured cloud server. Alarmingly, these massive cyberattacks are occurring with greater frequency. In response, it is imperative for all organisations to assess their cyber posture and risk tolerance.
There are a number of lessons from each of these incidents that organisations can quickly implement. These action steps can be summarised as the practice of good ‘cyber hygiene,’ i.e., doing the basics of information assurance and cyber defence well. This includes patching systems that are known to be vulnerable, securing data wherever it resides, and ensuring that networks are actively monitored. When the basics are executed well, companies can focus on defending their organisations from more advanced threats.
Nations around the world are coming to grips with the potential impacts of cyberattacks on their critical national infrastructure. Disruption to citizen services, or worse, has become an issue of national sovereignty. This has led countries to create their own versions of cyber hygiene best practices to guide and advise organisations on how to enhance their resiliency and response to cyber incidents.
In the U.S., this guidance is best summarised in the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF). The RMF was released in 2014 in response to an executive order. The framework provides cyber risk management guidance to U.S. critical national infrastructure providers. The framework is built around five core functions that, when used in concert, provide the best ability to manage cyber risk. These are offered not as a checklist or an exercise in compliance, but as a set of best practices divided by categories for implementation.
When fully implemented, the framework provides an understanding of residual cyber risk, which can then optimise organisational investments in people, process and/or technology to continually reduce risk, and increase resiliency and defensive agility. With RMF gaining worldwide acceptance, organisations without extensive cybersecurity posture can turn to practitioner partners and service providers such as Leidos for implementation guidance and support.
Click to enlarge infographic
In the U.K., the National Cyber Security Centre (NCSC) provides excellent guidance to the public, government and commercial organisations alike. The NCSC’s “10 steps to cyber security” summarises the key elements of good cyber hygiene that, if adopted, can lead to enhanced cyber resiliency. The guidance encourages organisations to understand risk tolerance and coordinate cyber investments appropriately. This strategic coherence, through agreement with a board of directors or other similar governing body, allows organisations to understand and engage investments in cyber that are in line with risk tolerance. This NCSC investment provides the framework from which policies can be created, cyber intelligence acquired, and defensive actions taken.
In Australia, a similar but different approach to cybersecurity guidance has been reached. The Australian Signals Directorate (ASD) published what they call the “Essential Eight.” These encompass the ASD-recommended core strategies to mitigate cyber incidents. While the ASD’s key elements of cyber hygiene have significant overlap with strategies from the U.S. and U.K., they have taken it a step further. The Australian Government provides a complementary maturity model to allow businesses to assess their implementation of the Essential Eight. Essentially, understanding where an organisation is in its transformation becomes another key element to risk management.
Regardless of the framework, guidance or combination of recommendations an organisation adopts, it is becoming a core business capability to increase cyber defence. At Leidos, we have more than 30 years of experience in transforming and improving the cyber resiliency of our customers across three key areas: assessment, transition and refinement.
First, an organisation must assess its current cyber defence capability to identify, respond and adapt to cyber risk. It must prioritise key information assets, understand the threats against those assets and align security investments accordingly. Those investments must create resiliency within the technology architecture to adapt to cyber threats not previously conceived. Many enterprises have too many non-aligned security technologies and poor policies supporting their cyber defences. Understanding what you have and where mitigation efforts need to be taken is essential in building a better security posture. Proven practitioners and service providers can help assess an organisation’s defensive posture.
Second, organisations must transition to make cyber hygiene and security as part of an organisation’s culture. Today’s advanced cyberattacks exploit weaknesses in enterprise cyber defences to penetrate enterprise networks, obtain administrative control and accomplish their mission. The increasing need for constant connectivity with vendors, partners, and customers — and future Internet-connected devices on personal, corporate, medical, and industrial networks — will only make this problem worse. A culture of cyber hygiene has to be created in the organisation so that people can identify potential breaches and poor practices in the workplace. Organisations need to ensure the basics are right before considering anything more advanced.
Finally, cyber defence is not something done once. Instead, it is ongoing and requires continual investment in skills, organisational focus and refinement. This is achieved by building an internal team to perform operational activities, or by engaging a partner to help build resilient solutions or even take over these operations directly. Using a partner can insulate an organisation from the challenge of finding adequately skilled cyber professionals. Regardless of the approach, an organisation needs to adjust processes to continually manage cyber risk and use their own cyber intelligence to inform their current and future decisions.
This piece originally appeared in a cybersecurity supplement from the New Statesman
Bill is the Senior Director for Global Information Security at Leidos. In this role, he uses his 15 years of experience in cybersecurity to protect Leidos Corporation and support the cyber goals of clients around the world. When not on a plane, most of his time is spent coaching his son’s sports teams or enjoying a rare quiet moment on the back porch with his wife.Follow on Twitter More Content by Bill Brennan