Creating a culture of resilience

Campbell Murray, global head – BlackBerry Cyber Security Delivery, explains why businesses must acknowledge the reality of digitised threats and plan for them accordingly.

Sign Up

Get the New Statesman's Morning Call email.

To accept that a cyber security breach is a matter of when, rather than if, represents a realistic rather than defeatist outlook. As technology evolves, so too does the sophistication of its users, especially those in a leadership position; and in an increasingly digital age in which most industries and businesses have moved online, why should crime be an exception? According to research by SonicWall, since the WannaCry ransomware attack in May 2017, which disrupted up to 70,000 devices across the National Health Service, incidents of ransomware globally have increased by 44 per cent.

Cyber security, once an airy concept exclusive to IT department patter, has since become a necessary consideration for company boards. The increased adoption of cloud technology and the shift to paperless offices means that vast swathes of customer and staff data, both commercial and personal, are now stored online. Being able to manage and protect that data effectively is paramount to not only a company’s functionality but its credibility as well. People don’t want to use products and services they feel are unsafe.

Given the changing landscape of online threats, cyber security must progress to cyber resilience – that is the capacity a company has to withstand and overcome the impact of a breach. As much as this is to do with technology – the right software, encryption and firewalls are obviously all very important – delivering true cyber resilience also depends on people. There is a direct correlation between a breach’s impact on a business and the speed and nature of its response.

The cyber security “skills gap” is, at this point, a well-worn term. To call it an industry crisis is not an exaggeration. If companies fail to arm their employees with adequate cyber-resilient skills, the consequences could be catastrophic. Companies must view their staff as potentially vulnerable access points and routinely train and upskill the workforce. This shouldn’t be viewed as distrust as much as it should be considered damage limitation. Mistakes happen, but regular training can help to keep staff on their toes and ahead of the game. Precautionary measures for staff can range from the simplicity of changing passwords regularly, at work and at home, to hiring specialists to look after a company’s digital assets.

Too often, cyber security has been bolted onto products as an afterthought. Shifting the conversation towards cyber resilience would mean embedding protection measures into technologies and software from the start, as they are built. Many organisations, including banks and the NHS, are still using antiquated legacy computer systems, which are simply not compatible with the latest security measures necessary to keep pace with developing threats.

Having said that, it should be appreciated that installing new cyber security systems comes at a cost, and in some cases, such as with smaller businesses, the cost of replacing proprietary software entirely may prove prohibitive. This brings us back to the point about resilience. So, how can we make existing systems stronger?

There are available and simple techniques that are very efficient methods of identifying legacy systems. Isolation and strict access control are also important and underline the importance of the role of cyber security engineers. Systems that are no longer supported with patches should be quarantined from any other system environment, particularly end point networks. A single legacy vulnerability, after all, can be the gateway for malware and other attack vectors to spread extensively and rapidly.

Hardening and monitoring are crucial to building cyber resilience. Hardening means disabling unnecessary services and implementing least privilege concepts to limit exposure. Even legacy operating systems such as Windows 2003 can be hardened to a degree through applying an effective engineering lens to the problem with SDLC and threat modelling practices. The purpose of security monitoring, meanwhile, is to ensure that the system fulfils the defined security baseline and detects suspicious activities as swiftly as possible. Since many cyberattacks tend to coincide with starting or stopping processes, monitoring should involve authentication tests and continual authentication solutions are readily available.

It is ignorant and arrogant for a company to believe it will never be breached. And it is worth noting that the nature of a cyberattack is intrinsically unpredictable. WannaCry happened on a Friday afternoon. So-called “zero day” breaches are one worst-case scenario. Zero day breaches are up until that point an unknown exploit within software or hardware and cause complicated problems well before anyone realises that something is wrong. Cyber resilience entails being prepared for a threat you’ve never heard of before.

The main goal of business continuity management is to keep a company running smoothly and limit the amount of time it spends out of action. As well as having a forensic strategy in place – data recovery and intelligence specialists should always be on the staff if possible – there must also be a measured public relations element to any response.
Panic prevention is vital. Companies must agree their messaging to their customers as quickly as possible and take heed of previous PR disasters. Being concise and honest with customers about the scale and severity of an attack is a strategy that will yield longer-term reputational and trust benefits than playing something down, only to come unstuck as more information is learned about a breach. Backtracking can deal a hammer blow to credibility.

Ultimately, cyber resilience is not mitigating or tolerating weaknesses. It should instead be thought of as responses maturing alongside threat levels. Therefore, inculcating good cyber hygiene amongst staff, having the right kind of staff employed and the right security technologies in place from the onset, and having a clear-cut PR strategy, are all essential planning for any business hoping to stand any chance of surviving, let alone succeeding in the digital age.

To read BlackBerry's latest whitepaper on cyber security, click here.

Campbell Murray is global head – BlackBerry Cyber Security Delivery. He joined the organisation in February 2016, as part of the acquisition of Encription Ltd, where he was a founder and director. Campbell has over 20 years’ cyber security experience and has been involved with every aspect of the industry in that time, but with a noticeable focus in offensive security techniques and security engineering in the IoT, industrial and transport arenas.