Balancing defence in depth with cyber resiliency emerged as the highest theme in a panel dialogue on the highest classes from previous cyber assaults on the National Cyber Security Agency’s (NCSC) CyberUK convention in Glasgow.
Business restoration is vital, mentioned Lewis Woodcock, head of cyber safety compliance at Maersk, the Danish transport large that was one of many firms hardest hit by the 2017 NotPetya assault, with about 50,000 endpoints and 1000’s of functions and servers affected.
“Organisations need to ensure that they understand their core businesses processes, systems and applications,” he mentioned. “From there, you can get the criticality of them and how to protect and secure them.”
This requires a steadiness between preventative and restoration measures, mentioned Woodcock. “Companies must work with the belief that they won’t be able to prime each future assault with preventative measures, so there must be a steadiness with restoration.
“With appropriate investment in both protection and recovery, companies will put themselves in a much better position.”
Another massive lesson for Maersk, mentioned Woodcock, was that the results of an oblique cyber assault might be simply as damaging as a focused assault.
“Maersk and the maritime industry were not the targets of NotPetya, and yet, along with many other international companies, we were part of the collateral damage, and that serves as a wake-up call for many, especially those who assume that attacks of a certain size and scale are always going to be targeted,” he mentioned.
Cyber safety threat is a risk-management challenge, not merely a technical one, mentioned Gwenda Fong, director, technique on the Cyber Security Agency of Singapore, which was concerned in managing the response to the 2018 breach at SingHealth that uncovered the non-medical private information of 1.5 million individuals – about 25% of Singapore’s inhabitants.
“As with all kinds of business risk, cyber security risk needs to be managed at the appropriate level,” she mentioned. “Cyber security is about achieving a balance between security, the usability of systems and cost. This is a matter of judgement and trade-off that needs to be made, depending on the nature of the threat and the criticality of services being run.”
For this purpose, mentioned Fong, it’s vital for organisations to have a reporting construction that helps the important thing enterprise leaders in making cyber safety selections, such because the allocation of assets.
Defence in depth
When it involves cyber defence technique, organisations must undertake a defence-in-depth strategy, mentioned Fong. “This means implementing stronger and multi-layered security mechanisms to protect the organisation’s ‘crown jewels’, which could be customer data or, in the case of SingHealth, patient data.”
The must train incident response plans was one other widespread theme within the panel dialogue. “The SingHealth data breach showed that there is typically a need to close the gap between polices and practices,” mentioned Fong.
“Organisations need to ensure that practices on the ground match the intent of cyber security policies. Operational staff who run security operations need to be familiar not only with the policies and processes, but they also need to internalise the intent and logic so they are able to act in line with the intent of the policies as situations arise.”
This implies that organisations must put money into improvement of safety insurance policies in addition to common refresher coaching for operational workers and common workout routines, she mentioned. “These are akin to a fire drill in the sense that they test that operational staff are familiar with incident response processes.”
In phrases of cyber assault train planning, Woodcock mentioned his recommendation to organisations is to “think big”. “Don’t prepare for small incidents,” he mentioned. “Prepare for huge incidents that are not necessarily a technology incident and that will not be resolved within your core team, but involves working across the organisations as well as with suppliers.”
Giving the UK cyber safety company’s perspective, Nicky Hudson, NCSC director of communications, mentioned years of coping with cyber assaults have proven that preparating and exercising incident response plans is important.
“This is about knowing who is doing what and the role they play,” she mentioned. “This is incredibly important. Organisations need to think about all stakeholders and how you are going to look after your staff, because cyber attacks seldom happen at a convenient time and they are not usually over quickly. They can sometimes take days and weeks to resolve, and incident response plans need to take into account that people get tired and hungry.”
Speedy, correct communication
Communication throughout and about cyber assaults emerged as one other key theme within the panel dialogue. The SingHealth information breach underlined the necessity for early and correct communication with key stakeholders, mentioned Fong.
“The public was informed of the SingHealth data breach a mere 10 days after the incident was reported [to Singapore’s Cyber Security Agency],” she mentioned. “Within that point, we had a staff on web site serving to SingHealth include the incident and reconstruct the assault and determine precisely what information was exfiltrated in order that we might verify that no medical data have been modified or deleted.
“We had to balance the need for speedy communications with the need to manage the crisis at hand and get the facts right.”
Another vital factor to recollect, mentioned Hudson, is that communication is not only in regards to the media when an assault or breach goes public.
“It has to be in the very widest sense of comms, so it is also about internal comms to keep staff informed and potentially comms with regulators, people affected by the breach and suppliers,” she mentioned. “You need to know up-front how you are going to communicate with them.”
Hudson mentioned comms inside organisations even have an vital position in bridging the assorted communities of stakeholders. “They need to be continually asking questions to ensure that there is a common understanding of what is going on and who is affected, that everything that goes out is consistent and makes sense, and that everyone involved is on the same page.”
In phrases of speaking with the media a couple of cyber incident, Hudson inspired organisations to contact the NCSC for assist. “The NCSC can be a bridge between an organisation dealing with an incident and the media,” she mentioned, including that if it’s a cyber assault, by involving the NCSC, the company can work with organisations not solely to get messages out to the media, but in addition to mitigate the impact of assaults and translate incidents into what must be carried out and who must know.
“We will work with you as a trusted adviser,” she mentioned.
In the wake of the SingHealth breach, mentioned Fong, investigators have been in a position to reconstruct the assault and see what had occurred pretty shortly because of good, complete information logs. “We were really fortunate because we had good logs for the SingHealth database,” she mentioned.
“It may seem a very straightforward point, but it is non-trivial. I cannot over-emphasise that the database logs helped the investigation team a great deal. Good housekeeping augments incident response.”
The availability of excellent information is likely one of the predominant challenges confronted by cyber safety incident responders, mentioned Ollie Whitehouse, chief technical officer at NCC Group.
“The availability of good logs in a timely fashion is critical,” he mentioned. “But there are many organisations that cannot give you visibility into their estate and what has happened – and that really frustrates the investigation.”
The second widespread problem, mentioned Whitehouse, is the shortcoming of organisations to reply to an incident, akin to having the ability to lock issues down shortly.
“And the third challenge is the supply chain,” he mentioned, “particularly the place there are contractual limitations the place you need assistance from a provider, both in giving shoppers logs in a well timed trend or in permitting third events akin to incident response corporations entry to their programs with a purpose to defend the bigger entity.
“Addressing just these three problems will enable organisations to have a far more effective response. This is particularly when things come to light weeks, months and even years later because the inability to go back in time due to the lack of data leaves many questions unanswered, and this can be very frustrating when you have got to report to regulators or shareholders.”
Service-level agreements
For this purpose, mentioned Whitehouse, you will need to have the fitting contract in place that can enable speedy entry with service-level agreements (SLAs) to the information the organisation will want within the occasion of a cyber assault.
“If a supplier becomes obstructive, it is vital that you have a contractual means to fall back on in order to force their hand and prevent them from making it difficult to get to the data you need,” he mentioned. “If you can establish up-front in the contract what your expectations will be and in what timeframe and who to contact, this can be very slick.”
From a regulation enforcement perspective, one of the vital issues in terms of cyber assaults is to report the incident to the police, mentioned Jim Stokley, deputy director of the National Crime Agency’s National Cyber Crime Unit (NCCU).
“Organisations can rest assured that by reporting incidents to the police, no information will be shared with regulators,” he mentioned. “You are a sufferer of against the law, and the data we’ve got might be handled as confidential.
“But reporting the incident is important because it enables us to adapt and respond to the threat as well as being able to investigate it, and any resultant prosecution can act as a deterrent for cyber criminals in future. So I encourage all organisations that are hit by cyber attacks to report those incidents to the police.”