Articles by the cybersecurity community

Guest Post - Ross Marston - #Business cyber demystified

Thank you to Ross Marston, founder of Business Intelligence Security, for writing the below article about cybersecurity for businesses. 

.........

I’m lucky enough to get to talk to a lot of different business leaders, and I get it.  It’s daunting for many.  Particularly SME/SMBs . Most businesses are aware that cyber security has the potential to massively damage their business.  The evidence is in the news daily.  And you think to yourself, “well if they got hit, what hope do we have?”. Well, I’m here to reassure you, and offer you a lot of hope. Below is a path to cyber resilience.  It’s not a silver bullet, because they don’t exist.  It’s a solid plan.  You may need some assistance with some or all of it, but that’s okay.  The main step is that you take charge and address this risk in your business.

“I’m here to reassure you, there is a lot of hope…”

Many business leaders simply assume their I.T. department or provider has cyber covered. They don’t! And there’s many good reasons why they don’t. Not the least of which is, cyber isn’t an I.T. problem. It’s simply a business risk that the risk managers (business leaders) need to address.
It is within ANY business’ reach to be Cyber resilient.  100% secure is impossible.  So, we aim for resilience.  Having a Cyber Resilient business is the name of the game.  
It’s the like saying, “I’m 100% sure I won’t get sick”. Ridiculous!  But being resilient to disease is very achievable. Resilience is simply the ability to bounce back readily from adversity or challenge. To be resilient you need to be prepared.

“it is within ANY business’ reach to be Cyber resilient”

Let’s look at our health analogy for a moment.  Many things affect your health, from genetics right through to your immediate environment.  The main thing you can do to positively impact your health is to prepare in advance.  Something like the following…

Think about your most likely health threats. Let’s just look at Flu for example.
If it’s flu season, plenty of hand washing, and avoiding direct contact with sufferers plus a few immune boosting supplements or foods will help.
At all times, boost the immune system by eating healthy, avoid too much booze, and stay fit, plenty of sleep, plenty of positive mental health time, etc.
If you still do get sick, rest up, plenty of fluids, take it easy, don’t spread it.
Get back on track as soon as possible.

Basically, have a plan. If you have no plan, then you are just at the mercy of whatever comes along.

It’s the same for business, no plan is not a good idea.  Your business needs a plan for everything it does.  No business owner starts without a plan, and just lets whatever comes along, happen to them.  They plan, and they measure how their plan is going.
Cyber is the same.  Many factors affect your business’ cyber resilience.  So, you need a plan. It’s simply another business risk you need to plan for. It’s certainly not an IT problem.  It’s a business risk, and it needs to be managed by risk managers.  Business leaders in other words.

Where to Start

So, let’s assume for a moment that you don’t know where to start with becoming Cyber Resilient.  Well fortunately many have been there before you.  One source we are going to leverage now, for our basic plan, is the U.S. National Institute of Standards and Technology.  Or N.I.S.T. as they’re known. They produce all sorts of cool stuff from standard weights (the standard Kilogram for example) through to Cyber Security Frameworks (CSF).

What I like about the NIST CSF is its simplicity and scalability.  It can easily scale from small start-up to international enterprise behemoth, and government.  It consists of 5 simple steps that your business needs to flesh out according to its requirements. It looks like this…
 

We all know that Action Changes Things, so let’s break that down into action points…

Cyber Security Plan action list

1. Identify what is important to your business. What is most critical?
a. These are your Information Assets.
b. You need to know what’s most important, as it is no point in finding that out once it’s gone. (Reminds me of that Joni Mitchell song, Big Yellow Taxi.  “You don’t know what you’ve got ‘til it’s gone.”  Take stock before hand.  That way you know what to protect.
c. You also need to prioritise your assets.  Which ones are MOST important and critical? Rate them! (There’re standardised ways to do this easily)

 

2. Have a plan to protect those critical assets.
a. These are your controls.
b. Depending on the asset, this may be something simple like a policy or something technical like Multi Factor Authentication. Or any combination of other types of controls as well.
c. One thing is for sure, you need layers of protection.  Not just one, so you you’ll likely use multiple controls
d. Start at the most critical Assets identified in step 1, and protect them first, then move down the list.

 

3. Have a way to monitor and Detect to ensure your plan is working.
a. You wouldn’t have a financial plan and not look at your P&L to make sure it’s working. The same way you need ways to monitor that your controls are working.
b. You also need to know that things aren’t slipping through the cracks.
c. If you aren’t measuring, you have no idea if it’s working.  If you have no idea if your plans are working, why make plans?
d. Pro Tip: Discovering you’re the victim of Ransomware and your entire business is shut down is NOT monitoring! That’s disaster.

 

4. If you detect an incident despite your best efforts, how will you respond?
a. No plan is foolproof.  Hence, you need to know what you’re going to do, when you discover your plan isn’t foolproof, and you detect an event that shouldn’t be happening.
b. One thing I can guarantee, after responding to many cyber incidents. In the midst of an incident is NOT the time to be figuring out what to do.  Make a plan first!
c. Know who will be in the response team, what the communications channels are, who needs communicating with, what will be said, who’s making the decisions.  There’s a bunch of things to go in here, and again, there’s many who have trod this path before you.  Don’t re-invent the wheel.

 

5. Once we’ve responded how will we Recover, to get back to where we were with the least fuss, and be stronger than we were before?
a. We detected and incident and enacted our plan The incident is now resolved. How do we get back to where we were in the shortest possible time frame?
b. Not only back to where we were, but better.  Stronger! What did we learn about how our plans above can be improved?  Let’s fix the plan.

And there my friends, is a Simple Cyber Resilience plan.

Sure, it needs fleshing out and customising for your business.  But it’s a framework ANY business can work with. You may need help with some or all of it, but you need to be in charge.  And let’s face it, there’s a whole lot of people in the cyber security industry only too happy to assist.

If you do need to demonstrate compliance to a cyber standard, then maybe the ASD ISM  PSPF, DISP, Right Fit for Risk, or ISO/IEC27001 are more appropriate.  Or maybe you need something simple and prescriptive like the ASD Essential 8.  It’s a good starting point, but lacks any policy framework, which I think is essential. 

But if you just need to start, do the above.  It works. I have implemented it many times and it serves its design purpose, to help make your business more Cyber Resilient.

Stay Safe!
Ross Marston CISSP