Cybersecurity is more than just firewalls and anti-virus, goes further than just zero-trust approaches and cultural changes, and is beyond just policy and compliance. Cybersecurity is not an ‘action’ or a ‘solution’ – it is an ongoing activity that needs constant review and updating. Cybersecurity Planning will vary for each company, but this guide has a few questions that may help.

The risks and threats are always changing – attackers only need to find one weakness, once. For an attacker, the effort is asymmetrical – small effort for a big reward, millions of attempts can be automated, and they only care about what works.

Cybersecurity planning can be broken into four aspects:

  • Preparation – planning, documentation, understanding what assets need protection.
  • Protection – not just technical defences, but also policy development, staff training.
  • Recovery – most businesses that are hacked end up suffering major losses. Recovery is often forgotten, but includes reputation as well as data rebuilding/restoration.
  • Review – audit and check your plans, test and validate that they are up to date.

The risks from Cybersecurity incidents

The three risks that companies are subject to are:

  1. Risk of being unable to operate and deliver their products or services
  2. Risk of data loss – which may lead to regulatory fines or even prosecution
  3. Damage to reputation, trust, credibility and ongoing brand damage

Preparation

The current usage of systems will require analysis, to find key parameters that will influence the most appropriate handling cybersecurity issues. The company needs to know what they are protecting, and where it is – and who needs to use it.

  • Where is data kept? Where are systems and services hosted?
    • On-site? Co-Lo/hosted datacentre? Cloud? SaaS? Is there a full inventory?
  • What are the most important data assets and systems?
    • Are they prioritised and documented? (Gold/Silver/Bronze etc.)
  • What is the most critical?
    • Don’t forget external systems and data sources – Github repos, data feeds from public sources, website hosting, SaaS etc.
    • Have they been assessed and rated for Confidentiality, Integrity and Availability?
  • How are systems currently secured?
    • Network protection like firewalls, access control lists, subnets and VLANs
      • Are there up-to-date diagrams and documentation?
      Authentication systems like Active Directory/Entra, Okta, local user accounts
      • How often is this audited – by the application/data owners?
      Physical security for on-premises systems
    • Endpoint security like anti-virus, anti-malware, systems policies etc
  • Where are the weak points?
    • People – always a weak point. Are they screened, trained, monitored?Mobile and edge devices – how are they monitored and secured?
      • Are there any Industrial / OT / PLCs / SCADA devices?Don’t ignore landlord’s building access / swipe card systemsPersonal mobile phones, laptops, USBs/CDs with company data
      3rd Parties, suppliers (include cleaners, landlord, maintenance – anyone who has keys)
      • Consider the supply chain of data and services – and 4th parties
      Paper records and other in-office data storageWi-Fi and remote access systems like VPNs (or dial-in systems)
    • Old/legacy systems that cannot be upgraded to better security
      • Consider all devices, including printers, projectors, IoT devices
  • Have they implemented cybersecurity devices, and then ignored ongoing monitoring or review of them?
    • It is common to purchase a firewall or Anti-Virus and then trust that it is working
    • Intrusion Detection Systems, SIEM and log collectors – are they reviewed?
  • Is there an existing Cybersecurity strategy?
    • When was it last tested and updated?
      • Was it a table-top exercise, or a real system test?What were the results? Have any improvements been made as a result?
      When was the last incident? How are near-misses and incidents logged?
    • Has there been any external validation, like a penetration test or audit?
  • What is the regulatory environment or external obligation for the business to comply with?
  • If there are contracted services, have the contracts been reviewed for currency?
  • Have 3rd party suppliers verified that their Cybersecurity plans have been tested?
READ ARTICLE:   Lessons from the CrowdStrike incident

Protection – Policy and Procedures

Cybersecurity is not just a technical exercise. Most work is in documentation, design/planning and creation of policy and procedures. The chance of a company having a cybersecurity incident is nearly 100%, but the company’s response and handling will make the difference between success and failure.

  • All systems and services need to be documented.
    • System configuration – in case the system needs to be re-implemented (e.g. SaaS services, re-installed software etc.). Include customisations or special patches
    • Systems interactions and integrations – where data is stored, gathered, and provided
    • Security and access permissions
    • How important is this to the business?
    • Dependencies and antecedents – what do systems depend upon to be working properly (such as Active Directory / Entra, databases etc.), and what will depend upon this system (web servers, BI systems, client facing systems)
    • Business functions that depend on this system – will this system being off-line affect clients / billing / human lives / business obligations?
    • Who is the owner? Who needs to be contacted? Who is the administrator?
    • What would the impact be if the system was offline?
      • What if data was deleted?
      • What if data was modified?
      • What if data was stolen? How can they tell?
    • What are the obligations for notification if data is stolen / leaked?
      • Notifiable Data Breach (NDB)
    • Are there any 3rd parties or contracts in place?
  • What are the user policies around cybersecurity?
    • Have users been trained and informed?
      • This is often done with boring presentations and scare tactics – consider how to make this interesting and increase compliance
    • Do the policies cover all identified data assets and systems? Are users informed of the most important systems?
    • Is there a process to declare and record incidents and near misses?
      • Does the company want to record un-targeted attacks like generic spam/scams? Will a user report phone scams and incidents out of business hours or to their personal device?
    • Are personal devices covered? Consultants and contractors? Third parties?
      • What about home PCs used for accessing company resources?
  • How will the company handle an incident?
    • Is there an identified responsible person? Are they authorised to make decisions and speak on behalf of the organisation?Communication and information release is increasingly important – are there prepared media releases / website announcements?
    • What frameworks or regulations will be followed?
  • Patching and updating – is this an auditable process?
    • Are all components’ versions and patch levels known? If there is an exploit, will the company know which of their assets are at risk?Are patches and updates tested before deployment? Is the test environment refreshed from the production environment regularly?
    • Is there a roll-back process for patches / updates / signature updates?
  • Is there a CAB and SDLC/ITIL-based process for system change release management and change management?
    • Are roll-back processes required for all security and critical changes?
    • Is post-implementation testing required for critical and security changes?
  • For a ransomware attack – what is the organisation’s response?
    • Accept data loss and recover from last backups?
    • How much would they be prepared to pay (not to the blackmailer, but to organisations to unencrypt/restore data)?
    • How quickly can they decide to stop the spread?
  • Does the organisation have a separate response approach for untargeted (virus etc.) attack vs targeted attacker vs external issue (3rd party taken down)?
READ ARTICLE:   N-1 update strategy

Recovery – getting back on line

The client will need to get their services back, or fail over to an alternative. This can be a disaster recovery plan to recover data and systems, but also must include a Business Continuity Plan – how to operate whilst the business is impacted.

  • Is there a dedicated person to manage and control recovery? If this is not a CISO or CIO, is the person authorised to make decisions, and to speak to the media / authorities / a minister?
  • Business Continuity – how will the business continue to operate during an incident?
    • Who needs to be informed?
      • Does a website announcement need to be made to customers? A Twitter or LinkedIn announcement?Are the contact lists up to date? Are there alternative contacts?Who has the authority to “declare a disaster” and initiate a response plan?Is there an escalation hierarchy? If a manager is not available, does a director get notified? When does the CEO need to know? What about the Board?
      How will the business communicate to suppliers and external 3rd parties (imagine email is down) – is there a phone list, or will an off-system email be used?
      • If an email (such as [email protected]) is used, are suppliers aware that this is a valid DR email address, or will they treat it as a scam?
    • Are there any paper or manual processes that the business can follow, to continue to operate?
      • How long can the business continue to operate on paper or manually?
      • How will data be re-entered into the system when it is available again?
      • Are there any obligations or compliance that are required – quality, security, avoiding duplicates etc.
  • Is there a documented process of how to respond to a cybersecurity incident?
    • It is common to panic and just target getting everything back on line – but this may actually support the attack by allowing a persistent threat to be cemented in place
    • Does forensic information need to be gathered? Gather logs and configuration
    • What are the steps to eradicate the infection/attacker/risk?
  • Is there a process for lessons-learned and continuous improvement?
    • Can quality be improved? What went wrong (something always will)?
  • What external support and contracts are available?
READ ARTICLE:   Cyber Insurance myths

Audit and Review

Technology never stands still. Business never stands still. Changes occur, and documentation is not updated.

  • When was the last time this was reviewed?
  • Is the current security appropriate and up to date?
    • Have all access permissions been audited and approved?
    • Have the data/application owners reviewed access permissions to their systems?
    • Have access failure logs been reviewed?
  • Is network configuration and security up to date?
    • If there is a VPN, is it allowed to only get to the right networks?
  • Is regulatory compliance up to date?
    • Has anything changed in the regulations?
    • Are there new obligations or responsibilities?
  • Have the per-department Business Continuity Plans been tested?
    • Has this been over-seen by a person who is not in that department?
  • Have contact details been checked for completeness and accuracy?
  • Are paper/external records up to date?
    • This can be a “battle box”, or folder of all DR / BCP plans, or a USB drive, or a cloud site that is not accessible by internal user accounts
Share this knowledge