There are two kinds of organisation in today’s business world. The distinction is not one of size or sector. Nor is it a question of profile, product or profitability. What differentiates them is their approach to data security and whether their mindset is reactive or proactive.
It sounds simple enough and yet the reality can be far from straightforward. Reactive organisations have not necessarily invested less in their cyber security. They may have a diligent security team in place with hefty budgets allocated to the task. Yet, unless their data security is regularly challenged, they will only be able to react when a breach occurs. They will be caught on the back foot, possibly in the full glare of the media spotlight and this can result in uncomfortable viewing.
While some may believe that there is no such thing as bad publicity, few companies that have experienced breaches would agree. From the details of those customers affected, the hefty GDPR related fines imposed (sometimes running to millions) and the estimated damage caused to a business’s reputation and long-term profitability, it can be a long road back from a cyber attack. We watch mis-timed statements, chaotic customer helplines and ineffective damage limitation and it is not hard to see that bad publicity can in fact be very damaging indeed.
The truth is, however, that no one sets out to be reactive when it comes to data security. Many businesses may actually believe they are taking a proactive stance, simply because they are investing a certain amount of time and resource into regulatory compliance and data security. Yet examining their data security posture during a period of calm can reveal some tell-tale signs. So, how do you know if your organisation is proactive?
One of the most obvious indications of a proactive stance is the fact that data security appears high on every board agenda. After all, a data security breach affects all aspects of a business so the whole board has a collective investment in a resilient strategy. In addition, the CISO or those assigned with the task of data security must be able to exert board level influence. When significant investments need to be made to enhance data security it is essential that the CISO is given the authority to communicate effectively with the whole senior team.
It may at first seem counter intuitive for a CISO to make a case for additional support and resource. There are, however, plenty of precedents for this. The finance director in many organisations will be supported by external accountants and the head of legal can often call on a team of specialist lawyers and legal advisers. Similarly, a CISO is not undermined by requesting additional support; it is an important requirement because external specialists are able to bring expertise and knowledge from different organisations and sectors to challenge, enhance and improve existing data security.
In reactive organisations this is unlikely to be the case. Many only allocate sufficient resource to pursue regulatory and legal compliance standards. This is a trap into which many organisations fall: the belief that if they are compliant, they are secure. They are not.
This is not to undermine the need for compliance. Far from it. Those who meet the regulatory and legislative requirements for their industry are better placed than those that do not. Effective data security is, however, about more than compliance. A box ticked and a certification achieved means nothing to a malicious hacker, after all.
So, what type of external professional services are used by proactive businesses? Assuming that there is a regular test and exercise programme already in place; that a business routinely checks for vulnerabilities and gaps; and that the organisation is already cyber mature, the next level of challenge comes from Red Team engagement.
In the world of information security which is riddled with acronyms, the deceptively simple ‘Red Team’ may take a little explaining but the term has its origins in the US intelligence community. Essentially a Red Team explores alternative futures, challenging an organisation to improve its effectiveness. In our context, a Red Team provides real-world attack simulations designed to assess and significantly improve the effectiveness of an organisations’ entire information security programme. CREST qualified consultants have the combination of rigorous training and real-world experience to think creatively and recreate the actions of a genuine hacker.
The ultimate goal is to use offensive techniques to enable an organisation to identify areas for improvement and/or to validate the capability of their response. The extent of the scope is not limited to cyber security but can also include consultants going under cover within an organisation to explore the breach vulnerabilities of every aspect of the business. It goes without saying that allowing this level of access to your organisation’s network system requires a high level of trust so it is important to engage with a respected consultancy in this sphere.
The second type of professional service of positive benefit to cyber mature organisations is Retained Forensics. With business continuity at its core, this service adds value to any organisation which is required to comply with GDPR, PCI DSS or other regulatory authorities because it takes a proactive approach to securing data.
The service employs the skills of experienced professionals to oversee the high-level management of cyber defences across all networks and infrastructure. Supporting the existing CISO or data security professionals, a Retained Forensics team brings a breadth of industry knowledge to refine and enhance a test and exercise programme to ensure that a system is as secure as it can be. With their thorough knowledge of an organisation’s systems they will also be on hand and ready to assist in putting the agreed action plan in place in the event of a breach. In this way, the 72-hour reporting element of GDPR will be achievable and the mitigation process will be well in hand before the deadline.
Demonstrating a proactive approach to protecting customer data puts businesses in a stronger position when dealing with acquiring banks or any other regulatory authorities.
A Retained Forensics service enables businesses to build in reporting and mitigation strategies to reduce the impact of a breach if one occurs. This reflects the fact that the initial ‘golden hour’ of each incident is key to successful containment. Retained Forensics can also include information exchange workshops to ensure that resource is deployed accurately as well as incident simulation and incident response. Businesses can access support and advice via remote response to enact a swift containment and a robust mitigation process and on-site response to acquire evidence to support further risk reduction.
Rather than focusing on the existing security plans, these specialist professionals enable organisations to think: ‘We have this highly sensitive data – can anyone get access to it?’ With the essence of effective data security relying on robust and regular challenges it makes sense that these cannot be conducted effectively if done internally. Significant value can be gained from engaging with external specialists to turn current thinking on its head; turning a reactive mindset in to a proactive one.