I’m frequently asked how I would define a good cyber security policy. The first thing I always tell organisations is that they should be looking for an approach and methodology, rather than tools or products.
A lot of organisations rely on tools and products to provide a solution for them. But first and foremost, it's about getting their approach to cybersecurity right - particularly cyber operations – THEN acquiring the tools to help them achieve those aims.
When reviewing an organisation’s cyber security policy, it’s also important to understand the clear distinction between 1 - cyber security, and 2 - cyber operations.
Cyber security is focused on the prevention of attacks and the passive defence of an organisation, whereas cyber operations is all about dealing with active threats, recovery and response, undertaking testing, threat hunting, and so on. Both should be covered and included in an overarching cybersecurity policy.
It’s important that in these uncertain times we’re currently experiencing, organisations monitor their security policy more closely, as all types of disruption can have an effect on an organisation's security, whether it’s concerning finances, personnel, or indeed, the current COVID-19 crisis. People moving in or out of an organisation, mergers, acquisitions, and all non-standard, non-business as usual activities and disruptions can make the organisation less resilient.
The COVID-19 crisis has disrupted how many businesses are operating from a technology perspective. By moving a lot more workers away from the corporate HQ to a work from home environment has, in many cases, necessitated the relaxing of controls within organisational cybersecurity policies.
But this needs to be done in the context of the risk framework and a governance framework that the cybersecurity policy should dictate, which is to make sure that there's an awareness of what the organisation's assets are, what information needs to be protected, where those assets are located, how they are protected and how threats are being detected across all of those assets.
The biggest thing that we see lacking in organisations, is having a really robust and fully tested Incident Response Plan. It is essential to create one, communicate it to your workforce, test it, and test it again!
Regulatory compliance is another important aspect of cybersecurity that needs to be considered carefully.
In the 2020 cybersecurity strategy that was released by the federal government earlier this month (August), there were a number of comments regarding the establishment of a common framework of requirements for organisations to meet, and also for board members and directors of companies to be fully accountable and responsible for cybersecurity, in much the same way as they are for workplace health and safety.
Regulatory compliance is a key component, but just aligning to the regulatory guidelines isn't a good cybersecurity policy in isolation. A good cyber security policy should also be contextual to the organisation. It needs to understand the threats, the weaknesses, and the context in which that organisation is operating.
Further to that, it cannot be understated how important it is, as with other areas of the business, that when it comes to cyber security, everyone knows their role, in order to help prevent any actions being overlooked.
There are plenty of mitigation and risk frameworks for clearly articulating where there are areas and processes that need to be applied when it comes to cyber security. The Australian Cyber Security Centre, which is based within the Australian Signals Directorate, releases regular mitigation strategies for cyber breaches and cyber intrusions.
It lists the individual steps that you can do as an organisation to help mitigate a breach, or the impact of a breach. Things like backups, patching, and testing are covered, but a critical point to note is that elements will always be missed from time to time. Not everything, or everyone, will be 100 percent reliable.
For example, your backups may not be functioning as well as you thought they were. Your patching may not be patching as quickly as you thought it would be, or your penetration testing might be missing critical exploitable issues. Even your cyber security team may not be skilled in certain areas.
Therefore, it's really important to have clear responsibility and accountability, from the board all the way through to the individual security analyst within the organisation, and understand what's important, why it’s important, and how it fits into the bigger picture of cyber resilience for the organisation.
The NIST (National Institute of Standards and Technology) Cyber Security framework also helps organisations gain a better understanding and improve their management of their cybersecurity risk by demonstrating how to identify, protect, detect, respond to and recover from cyber attacks.
Cybersecurity policies are not just tick and flick activities. They are very much a part of an organisation's resiliency plan in much the same way as a business continuity or disaster recovery plan is.
It is also important to understand that not all cyber security organisations are alike. There are a lot of hardware and software vendors, lots of service providers, and specialists in certain areas of cyber security, such as governance risk compliance, penetration testing, engineering, operations and incident response, digital forensics, and so on.
Across that entire landscape, there are organisations that provide what's known as passive defence or passive protection. This is a necessity and should very much be part of your cybersecurity policy.
You need to have cyber security awareness training so that staff can recognise things such as phishing attacks. Then you have the human firewall in place.
You also need to have a passive defence, which is your standard technologies - host based antivirus, firewalls, email protection, data loss protection, encryption, etc.
A lot of managed security service providers (MSSPs) provide really good integrations of those passive protection products and tools, and can advise on strategy and the implementation of those.
When you get into cyber operations (also known as active defence), you start getting into threat hunting and more targeted detection strategy and engineering. You also get into looking at how you take those tools and existing tool sets and derive information from them in a consumable format, which provides greater detection and response capability for the organisation. That's where we step into the domain of specialist providers in Managed Detection and Response - active cyber operations.
Conversely, there's also more offensive (as in proactive) cyber operations that involves actively testing your environment for vulnerabilities, exposed gateways for exposed services, and remediating those as a feedback loop into the passive protection and the security operations team.
Overall, not all organisations will necessarily have a high level of maturity across all of those elements. Most organisations that we talk to are quite active in the human firewall scenario and the awareness training, the phishing training, data loss prevention, password protection, and so on. They often have a traditional managed security service provider providing tools and technology sets and very simple alerting based on those tools.
Organisations also generally have a good offense in terms of performing their annual, quarterly or monthly penetration tests, depending upon their regulatory requirements.
But where we see a bit of a gap in organisations is really around the resiliency in detecting and responding to threats, and reducing the dwell time, which is the time between when the attack occurred and when it is picked up. That's where organisations fall down a little bit.
Organisations need to have a good mix of active and passive defence. The active defence can be an internal capability in detection response, or it can come from an external provider, such as ParaFlare. But it is really critical to have robust detection and response capabilities within your organisation, regardless of who provides it.