[BreachExchange] Business Cybersecurity Strategy

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 9 15:20:52 EST 2018


In the last decade there have been a growing number of cyber-attacks on

A huge range of organisations and companies around the world have been
affected by the WannaCry ransomware cyber attack, described by the EU's law
enforcement agency as "unprecedented".

>From "cyberwar" to "hacktivism", there have been some of the major
cyber-attacks over the past 10 years. The Petya ransomware attack which
took place in June 2017 paralysed thousands of companies worldwide, and
this attack reinforced the new EU cyber legislation.

Firms that are breaching the EU’s General Data Protection Regulation (GDPR)
next year could be fined up to €20m (£18m).
This new law is now beginning to make cyber security a crucial issue for
all businesses.

However, we have found that on average, while 93% of businesses surveyed
regard it as important, only 56% have established a formal cyber security

Business Responsibility
The Board is ultimately accountable for the protection of corporate
systems. Therefore, they need to develop a cyber security policy, regularly
audit their IT systems, educate their staff, review supplier contracts and
incorporate about cyber insurance.

Analyse the Risks
Directors need to ask themselves and all Board members: how confident are
they that their business information assets are protected? Who might
compromise their security? What forms might the threat take? What effects
could an attack have? Have they had analysis of their business’s systems
and had a report completed and how long ago was this done?

Completing this work will help your business to implement suitable controls
and determine what good practice looks like. Repeat the procedure
regularly, continually reassessing the effectiveness of your measures. If a
third party manages your IT services, review your agreements with it and
ensure that those handling your data also apply these controls.

Understand and Follow the Law
Ensuring that your business follows the strict data protection principles
outlined by the Information Commissioner’s Office (ico.org.uk) and enforced
by the Data Protection Act 1998 will help to shield it from attacks,
prosecutions, fines and reputational harm.

These stipulate that the data held and processed by your firm must be kept
securely; be used fairly and lawfully for specific, limited purposes; and
not be moved outside the EEA without adequate protection.
Also, planning and implementing the changes that your firm needs to make to
comply with the GDPR now will ensure its readiness for the legislation when
this comes into force in 2018.

Getting the Fundamentals Right
Applying basic, effective measures to protect your company’s systems will
mitigate many of its cyber risks. You should download and install software
updates as soon as these become available, as they often contain security
Similarly, use strong passwords; delete all suspicious emails, which could
contain malware or be phishing attempts; and always use up-to-date
anti-virus software.

One of the most crucial measure is to train all staff in these basics and
keep them abreast of the latest threats. Human error is often at the root
of a breach, the mere opening of an email attachment by an unwitting
employee could cause one.
You therefore need to develop a security-aware culture. The government’s
Cyber Essentials scheme sets out five controls that would help to reduce
cyber-attacks on your company.

Cyber Security Insurance
Insurance is not yet widely viewed as a cyber security measure. Indeed,
only 22 per cent of business we have spoken to have taken out such cover
for their firms.

But products in this area can insure against a range of risks, including
network security liability, data and software damage, business
interruptions and reputational harm.

Although some events, including the theft of intellectual property, remain
uninsurable because the associated losses are hard to prove and/or
quantify, insurance is likely to feature heavily in any effective cyber
strategy in the near future.

Cyber Audit
We think that the UK should take more of a lead in this area and that the
UK government should have standards that should be implemented to enhance
Cyber Essentials with a Cyber Audit regulation, which we think is very
important once the UK leaves the EU.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/5663ec2f/attachment.html>

More information about the BreachExchange mailing list