Clinton Firth, MENA Cyber Leader, EY Africa, India and Middle East (AIM), on how organisations can build resilient systems to protect themselves against cyber threat actors.
Threats of all kinds continue to evolve, and today’s organisations find that the threat landscape changes and presents new challenges every day. In response, organisations have learned over decades to defend themselves and respond better, moving from very basic-level measures and ad hoc responses to sophisticated, robust and formal processes.
Over recent years and under the pressure of more regulation, organisations have invested in their corporate shield. Significant progress has been made in taking measures to strengthen this shield in the last two to three years, but organisations are lagging behind in preparing their reaction to a breach. They are still ignoring the all-too-familiar statement, “it’s not a matter of ‘if’ you are going to suffer a cyber-attack, it’s a matter of ‘when’ (and most likely you already have been).”
According to the annual EY Global Information Security Survey (GISS), Path to cyber resilience: Sense, resist, react, global organisations are more confident than ever that they can predict and resist a sophisticated cyber-attack, but are falling short of investments and plans to recover from a breach in today’s expanding threat landscape.
Between 2013 and 2016 there have been year on year increases in cybersecurity budgets globally. However, 75 percent of MENA respondents say that more funding is needed, and 50 percent of MENA respondents citing budget constraints as a challenge. And it is not just budget that is needed. While additional budget may help alleviate the skills shortage, money cannot buy the executive support that is also needed.
Cybersecurity is a shared responsibility across the organisation. Boards need to support the efforts being made, and every employee needs to learn how to stay out of trouble and not open the phishing email, or lose their mobile device. When it comes to immediately dealing with a cyber-attack that has damaged the organisations, there is nowhere today that the board can hide. If any weaknesses or failures in the recovery plans become known, and the longer these problems continue, the worse the situation will get. Some organisations may physically recover from an attack, but their reputation and trust can be destroyed. The key is to communicate and lead the communications before the strength of the traditional news media and social media takes over. Too many organisations are still unprepared.
Sense, resist and react
Cyber resilience is a subset of business resilience; it is focused on how resilient an organisation is to cyber threats. There are three high-level components of cyber resilience that organisations need to look at to improve their cybersecurity capabilities
First, sharpen your senses. Sense is the ability of organisations to predict and detect cyber threats.
Organisations need to use cyber threat intelligence and ‘Active Defence’ to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. They need to know what will happen, and they need sophisticated analytics to gain early warning of a risk of disruption. Can you see the cyber-attacker approaching your perimeter? Does your perimeter even exist anymore? Would you know if someone is beginning to undermine — or launch an attack over — your defences? Could you spot an attacker hiding in a remote part of your network?
Second, upgrade your resistance to attacks. Resist mechanisms are basically the corporate shield. It starts with how much risk an organisations is prepared to take across its ecosystem, followed by establishing the three lines of defence:
- First line of defence: Executing control measures in the day-to-day operations
- Second line of defence: Deploying monitoring functions such as internal controls, the legal department, risk management and cybersecurity
- Third line of defence: Using a strong internal audit department.
What if the attack was from a new, more sophisticated technique that you haven’t experienced before? Would your defences be able to resist something new and more powerful?
Third, react better. If sense fails (the organisations did not see the threat coming) and there is a breakdown in resist (control measures were not strong enough), organisations need to be ready to deal with the disruption and be ready with incident response capabilities to manage the crisis. They also need to be ready to preserve evidence in a forensically sound way and then investigate the breach in order to satisfy critical stakeholders — customers, regulators, investors, law enforcement and the public, any of whom might bring claims for loss or noncompliance.
Finally, they also need to be prepared to bring their organisations back to business as usual in the fastest possible way, learn from what happened, and adapt and reshape to improve cyber resilience going forward.
React is the area where most of the work is still to be done. The more it becomes clear that the corporate shield cannot resist all threats, the more that companies will need to focus on their reactive capabilities.
In the event of a cyber-attack, what is the organisations’s plan and what is your role in it? Are you going to focus on quickly repairing the damage or will you be painstakingly collecting evidence for law enforcement? What would be the first thing you would do?
Given the likelihood that all businesses will eventually face a cyber breach, it is never too early for companies develop a strong, centralised response framework as part of their overall enterprise risk management strategy. The truth is, everyone needs help. Since companies are all facing the same “common enemy,” the more companies share about their concerns and experiences, successes and failures, and the more they collaborate on finding answers, then the more they will learn and together, be better protected.