The best business decisions are frequently made based on senior leadership’s trust in facts, figures, and calculations produced by appropriate parties within the organisation. Relying on gut instinct—or, worse, potentially false or incomplete information—is a risky path to take, particularly in cybersecurity.
1. Do we know what needs to be protected?
(i.e. hardware, software licenses, IP, and other sensitive data)?
Hardware and Software
You can’t defend assets if you don’t know about their existence, purpose, location, and status information like configuration, age, and version. Cybersecurity defence necessitates paying close attention to details such as device type, model, operating systems, software, and firmware versions, how they are used, and so on. If you ask for your company’s asset inventory and receive hesitant responses, assume you’re in trouble. This may sound glib, but the reality is that even when you know what you’re defending, such as location, condition, and so on, it’s still difficult to secure. In addition, you may discover a device that has been sitting in a closet for months, unseen. Once activated, it may be out of date on security updates, out of support, or even compromised.
Your team should be aware of the data you have, where it is stored, and how it is used. This is an important aspect of system design, security, and management. Identifying, categorising, and organising the data also aids in determining its value, who should have access, and what response is expected when unauthorised access, corruption, or destruction occurs. In many cases, incident responses reveal this to be a major flaw in an IT environment. Unfortunately, far too many IT departments are unable to provide accurate answers to questions about where a company’s data is stored, who has access to it, and even whether it is properly backed up.
Policies & Procedures
Policies are an important starting point in any risk management programme, but a few key factors should be considered from an executive standpoint, such as policy development, how policies were chosen and supported by processes, education, and remediation. Policies can be a huge help in managing your security posture and can lead to significant improvements, but they can also be a source of significant legal risk if they are not properly defined or, worse, are not implemented and enforced.
If your policies are only known to the heads of staff as institutional knowledge, it means there are no policies. Employees, managers, disinterested parties, auditors, and others with an interest, such as customers, partners, service providers, and so on, should be aware of and understand them.
2. Are my employees properly educated about cybersecurity threats?
It is not sufficient to train employees by providing them with information and then testing them on what they remember.
It’s more important to show them why they need to understand the information, as well as the consequences of not doing so.
failing to act appropriately, and testing them at random to see how they react when faced with a decision
This could result in a successful attack.
Random testing alone results in more cautious behaviour and a decrease in careless or reckless behaviour.
Without warning, testing must be as stealthy and realistic as possible. Also, make it randomised so that the targets are different.
Don’t expect it or become complacent in the face of it.
3. Does our cybersecurity strategy address business risk? How?
It is critical to understand how technology is accessed and leveraged, as well as the consequences of an attack on that technology. Many employees do not fully comprehend the business ramifications of a major cyber incident, whether intentional or unintentional, until they are in the thick of it. It is critical to understand the potential consequences of a potential incident, which can range from a simple outage to a major disaster or complete loss of system access and control in a ransomware event. You can’t build a plan or resistance and resilience unless you fully understand the consequences of not doing so.
It is critical to be able to recover from a ransomware incident without paying a ransom. The ability to operate during an attack, on the other hand, is worth investigating.
4. How confident are you that we could recover quickly if we were hit by a major attack?
Many organisations do not have a plan in place for quickly recovering from a major attack. Before an incident occurs, key issues such as reducing downtime, preventing or minimising revenue loss, addressing customer experiences during a recovery, and minimising recovery costs must be addressed. In the absence of such a plan, trying to recover systems and data may cause chaos, and critical systems may not be available in a reasonable time as required by the business. Furthermore, simply having a plan is insufficient. Because environments are constantly changing, organisations must review recovery plans on a regular basis, prepare for a potential attack by testing those plans, and adjust as needed.
Incident Response Plans
Response plans should include the most recent test results as well as any changes made since the last test. An incident response plan must be overseen by someone who reports to the C-suite. The plan’s purpose is to identify, communicate, and document all of the key areas of business that must be covered in the event of an attack, and then to communicate with the C-level suite to secure the funding to put the plan into action. The use of information technology is a critical component of this strategy. However, marketing, operations, customer service, and sales may all play a part. After the plan has been approved and implemented, its execution can be tested and the results reviewed on a regular basis. Is there anything that needs to be changed as a result of changes in the environment, personnel, or reporting structure?
Disaster Recovery Plans
Include the most recent test results and adjustments. The ability to recover from a catastrophic failure is referred to as disaster recovery (DR). Previously, it was usually related to systems, but ransomware has recently been added to the list. The ability to continue operations even in the face of a catastrophic incident is referred to as business continuity (BC). Having a secondary duplicate site, for example, that will take over as needed. Organizations must regularly test their DR/BC environments and be able to present the documented test results.
Business Continuity Plans
Assume the worst-case scenario of ransomware or another widespread destructive/disruptive incident. How would you carry on operations? Are there any offsite backups that can be restored right away, or secondary sites that can be activated? How long does it take to restore backups or activate backup sites?
Ransomware and other major attacks are no longer coming solely from outside the organisation. An unsuspecting internal user may unintentionally introduce malware into the organisation, resulting in a major attack. There are several tools available to assist organisations in detecting insider threats and providing real-time protection. How is your organisation defending itself against these attacks? What tools have been put in place, and how are they being monitored? Is the C-suite aware of the measures put in place to combat insider threats?
5. What measures do you currently have in place?
It is critical for business leaders to understand the current systems in place in order to properly evaluate an organization’s cybersecurity programme. Specifically, the tools used to prevent or mitigate threats that may have an impact on the organisation. These systems should be checked, documented, and tested on a regular basis, with detailed reporting output.
6. How do we manage our Cyber Security program?
It is critical for your organisation to use clear objectives and metrics wherever possible in order to maintain an ever-evolving, ever-maturing security programme. The beauty of a cybersecurity programme is that all initiatives eventually lead back to tangible risks, allowing your organisation to develop a quantifiable action plan to address said risk.
These quantifiable metrics can be as simple as calculating how many of your IT controls passed vs. failed during an audit, or how many new hires had a background check and how many did not.
However, one of the most exciting aspects of developing an evolving security programme is that your metrics become more advanced as your programme matures. You start to develop Key Risk Indicators (KRI) and Key Performance Indicators (KPI) that can be linked to monetary values. For example, you could assess the likelihood and impact of a ransomware attack on your organisation once every four years and determine that the attack would cost $500,000. You’ve successfully calculated an annualised expected cost of $125,000 for your organisation, which can now be budgeted for over four years.
7. How do you decide how much money to set aside for technology risk management?
As cyber threats become more prevalent, it is critical to align appropriate budgets with technology risk management. Investing in cybersecurity is akin to purchasing insurance. It may be difficult to quantify, but it is necessary in order to reduce the risk of revenue loss, customer information, intellectual property, company downtime, and reputation.
There is always room for improvement, no matter how many technology companies you have incorporated or how good you believe your cyber controls is. Most businesses do not have an unlimited budget, but cybersecurity is a necessary cost of doing business: “an ounce of prevention is worth a pound of cure.”
The National Cyber Security Centre (NCSC) is part of the Government Communications Security Bureau. Our role is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.
CERT NZ is your first port of call when you need to report a cyber security problem. We support businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.