Last week I talked about whether our ability to demonstrate resilience in the cyber field, is impacted by an over reliance on the companies who supply our IT products and services, and whether over time, that reliance has grown to the point where we are ignoring our own responsibilities in this area.  I have used the phrase that you can outsource your IT, but you can’t outsource your responsibility.  At the end of the day, there is only you and your employees who have the best interests of you company at heart.  You wouldn’t tolerate a single point of failure in your business, you would try and ensure that there is resilience built into your business processes.  Why then do we not apply that to IT?

It’s a fact, which often goes unrecognised or ignored, that cyber security is not a technical issue but a business issue, and as such much of it is reliant on policy and process.  It is also a fact that your employees are both your first line of defence and potentially, your weakest link.  Technology comes in in third place.  The cyber mantra is People, Process, Technology.  If your people don’t have at least a basic understanding of the issues involved, and you do not have the right policies and processes, rolled out to, and understood by all who need them, then all the technology in the world is likely to be a waste of money.

People

Let’s take a closer look, starting with People.  Many businesses out there don’t have inhouse IT support but outsource that to an IT provider.  That’s fine, you can ensure that your contract with them spells out their responsibilities regarding your security, your data.  It then becomes their responsibility to ensure they protect to the standard stated in the contract, and that their people understand their responsibility.  However, you still have your own staff who interact with suppliers, customers and possibly members of the public, on your behalf.  I’ve discussed in my blogs before that most businesses are more likely to suffer from scams, than they are from technical hacks.  Even ransomware can be considered a scam, as can most phishing attacks.  The cyber-criminal is relying on someone on your staff to click a malicious link, or access something they shouldn’t, in order to facilitate the scam.  Staff often make the mistake of opening malware because they didn’t know they shouldn’t, not because they are themselves malicious or lack common sense.  If they fail, it’s often because they haven’t had any training.  Likewise, staff can make mistakes, such as copying and releasing data to unauthorised persons, because they didn’t know they shouldn’t.  So, whose failures are those, staff or managers?

Cyber Awareness Training (https://hah2.co.uk/cyber-awareness-training-smes/)

It is critical to the success of the cyber-security resilience that the organisation develops a mature culture of understanding and awareness about cyber risks. Above all this is an issue that must be driven from the top of the organisation – unless cyber-security has the full support of the Board it will be impossible to generate the level of commitment necessary to develop the culture of awareness.

Awareness and understanding of cyber risks are so important because these are the essential elements of the “human firewall” that is all that stands between the organisation’s critical IT systems and the clever social engineering tactics of sophisticated cyber-criminals. Such tactics are even more ubiquitous in our “always on” culture that is driven by the social media and applications accessed through smartphones and other mobile devices.  Employees need to be aware of the cyber risks inherent in the devices that are part of their everyday lives; and of the damage to their occupation and livelihoods that can be done as a result of ignorance, carelessness or inattention in their use (and abuse) of such devices.

For the security function in an organisation, the development of a mature culture of awareness and understanding is also critical. In order to achieve the shift in thinking needed to develop the culture of awareness, four things are required:

• Board and CEO Level involvement and support
• Training that is relevant to the job function.  Giving technical awareness training to a shop floor worker will have no impact.  If lessons from the training can be taken home and used there as well, big dividends will accrue from the reinforcement provide.
• Training must be fun.  A little humour lightens the load and will brighten the day of employees and mean that they are more likely to remember what was taught.
• Training must be continual.  It is more effective to do a little training each month than to have a single long session. 

Policy and Process

Moving onto to processes now.  First and foremost, all companies should have a cyber security policy.  It doesn’t need to be more than a page and should lay down what other polices are needed and who is responsible for producing them and keeping them in date.  Any of you who have achieved an ISO certification, in whatever subject you needed to, will have had a similar process to go through and if you ever wanted to achieve ISO27001, then you would need to fully understand and comply with this.

The development and documentation of an agreed set of clear and coherent policies and supporting standards, processes and baselines are essential to the success of a cyber-security program. These must be signed off at board level and preferably set within the context of the organisations cyber-security strategy. However, the nature of the policies and supporting elements themselves will, to some extent, also be governed by the risk management controls that are needed in order to manage risk to a level that is consistent with the organisation’s assessed risk, overall risk appetite and budgetary and cost constraints.  I talked about risk management last week and that can be found at https://hah2.co.uk/are-we-failing-in-our-cyber-resilience/.

The are 3 elements to this that are essential:

• Policy.
• Standards and processes.
• Minimum baselines.

This may seem onerous and a step too far for many businesses but they are essential to ensure that you are self-reliant and resilient.  The whole process need not be that difficult or expensive and it is a lot cheaper than many of the technical solutions managers jump to, without first ensuring that such technologies are actually what is required.  We can offer advice and guidance in this area (https://hah2.co.uk/why-use-an-independent-board-advisor/).

Policy is the highest element in the hierarchy – representing “why” the governance controls must be used. Below this, the standards and processes represent “what” needs to be implemented, in order to deliver compliance with the policy. Thirdly, minimum baselines constitute the element that shows “how” the standards and processes should be delivered. Each of the elements is discussed in more detail below.

Technology

Finally, we come to technology.  In last weeks blog (https://hah2.co.uk/are-we-failing-in-our-cyber-resilience/ ) I went into more detail about risk management and how we go about putting the right controls in the right place, to reduce our liability to the lowest level we can, without impacting operational resilience.  But let’s just reiterate that many of these controls will be procedural and not necessarily technical, or they might be a mix of the two.  The message is don’t get hung up on technology, approach it from a risk management point of view, treat IT and cyber security in the same way you would treat any other business process.  Don’t get swamped with technical jargon, it’s not that difficult.

Next Week

Another vital piece in our resilience matrix is disaster recovery and business continuity.  Not the same thing and I have already touched on this in recent articles (https://hah2.co.uk/you-can-outsource-your-it-but-you-cant-outsource-your-responsibility/), relevant to the current issues around CloudStrike.  Disaster recovery is how you plan to recover from a disaster whilst business continuity is all about how you keep the business running whilst you recover your IT assets and data.  It’s quite an involved subject and demands an article on its own.