Building a resilient organisation is a key requirement in our digital world infused with cyber-crime and cyber-warfare. The two are interchangeable as bad actors in government can launch cyber-criminal activities to cripple key organisations in a country and claim to have no part in this.
Cyber-criminal activity is performed to make money. Cyber-criminals look far and wide for targets that have flaws in their security and can be compromised in many ways. This can be in the form of ransoms, extortion, fraud and theft.
Cyber-warfare is performed by a country either directly or through criminal networks to harm infra-structure, disable services and possibly render a country unable to perform certain functions both governmental and business wise. Cyber-warfare is very targeted at specific goals to further a specific purpose. An example would be the disabling of uranium enrichment in Iran or shutting down a power station in the Ukraine.
While data protection is one part of data privacy, it is a very key part in our modern world. The value of personal and other data is the current asset of our new economies and has enormous value as a marketable and exploitable commodity in the wrong hands.
Data privacy management is a key responsibility of any organisation. This is to ensure that the stakeholders of that organisation for example employees, customers, suppliers, patients, medical staff whose information is kept are protected from the exploitation of that information by the organisation itself or external parties.
In this article I would like to look at the elements of a data privacy and cyber security stack and how they all fit together to create a resilient, hardened organisation.
I have identified these as the main areas of focus for a pragmatic approach to building a solid security foundation:
I constantly come across organisations where people are absolutely, naively clueless about the threat landscape that lies just beyond their network devices waiting eagerly to enter. In fact, it can also just as easily be a malicious employee inside an organisation!
To me the 1st item is education which creates prevention. This needs to be appropriate to the people being educated. I know of a bank CEO who infected his bank with ransomware, it’s easy to click a link and regret it and yes, they should have known better, but why did that email get through, what were their IT Security staff doing?
At an executive level education is about making the executives aware of the risks they are exposed to and enabling them to understand the level of budget that they need to have to focus on data privacy and cyber security.
There is a massive shortage of skilled data privacy and cyber security experts both at a theoretical and a technical level. For an organisation to be able to build the necessary capabilities they must either outsource to external consultants or train up their own technical staff. Either way there needs to be technical skill in understanding the requirements to build robust infra-structure and manage risk and compliance.
Email is a major threat vector for data breaches of many different kinds, there are technical solutions which filter a lot of malicious emails out, however staff still need to be trained to identify various attacks with a note that these are becoming more and more sophisticated and difficult to identify. In some cases, these target specific individuals and have inside information about them to create an email scenario that is extremely hard to identify as an attack.
Governance and risk management is the key to actionable outcomes. Following a governance program for both data privacy as well as cyber security will, if done properly provide a framework to identify all addressable areas and an understanding of how to allocate the budget for these.
Governance is an ongoing task, and reviews are essential as dynamic organisations change and morph over time.
By 2023 over 65% of the world population will be protected by some form of data privacy regulation that organisations keeping their data will need to conform to.
Data Privacy compliance in most cases requires effort in the following areas:
A well-managed and well-communicated data privacy program adds value to an organisation and contributes in many ways to its sustainability in terms of:
Recommended guidelines for a cyber security and data privacy budget estimate about 8 – 14% of the total IT budget. I would class the data privacy budget out of IT as it encompasses different areas of an organization.
So this amount can be a fairly significant investment and needs to be implemented as a budgetary amount where it can work the hardest. This is what a cyber security framework review enables, determining where the budget can be best spent.
There are various cyber security frameworks, CIS and NIST being two of the most well-known.
CIS – Center for Internet Security states “Developed by the Center for Internet Security (CIS), the CIS Critical Security Controls are a prescriptive, prioritized set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks and support compliance in a multi-framework era”.
NIST – National Institute of Standards and Technology (USA) states “The NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology based on existing standards, guidelines, and practices”.
Either of these and many others will take you through a quarterly or bi-annual review that will reveal the cyber health stance of your organization and ideally show you the actions that you need to take to create a hardened, robust and resilient position.
There are many different types of cyber-attacks that can take place, these include:
Some of these require human intervention for prevention, some a technical solution and some a combination.
Key methods and protocols to follow in order to technologically prevent attacks are:
Having been the co-founder and Joint CEO of an online backup service with 15,000 B2B client for over 13 years, I was often amazed at the complete lack of understanding on organizations of the critical nature of data and systems backups, and literally had people crying over the phone over their lost data due to incorrect backup selections and various errors.
Critical data backups are the most basic form of building resilience from disaster and attack.
A data backup forms the fundamental requirement to rebuilding a system and getting a fully running service back in place.
Key issues with backups are testing, testing, testing – there should be consistent no failure backups in place. What is the cost of not being able to restore an hour, a day, a week, a month’s worth of data?
Nowadays there is NO reason to backup to a tape or to a device on your own premises, in fact should your servers even be self-hosted for most organizations?
Backups are critical, they must be monitored and tested. You should know the RPO and RTO for your backups and determine if they are right for your business – RPO – Recovery Point Objective (remember you can only restore from your last successful backup , when did that happen?) and RTO – Recovery Time Objective – how long does it take to restore services from backup and have live systems running again, once again, how much does it cost when unable to restore a system in an hour, a day , a week, a month? These types of disasters can destroy a business.
I personally would recommend moving to a full systems backup scenario with DRAAS built in (Disaster Recovery as a Service).
An important note is that even if hosting in the cloud, this does not ensure your systems are being automatically backed up – you must check and ensure this.
DRAAS is a combination of full systems backup and a service that will restore your server infra-structure into a hosted cloud solution within a pre-agreed time. This is backup with a tested and documented recovery plan in place. According to ISO27001 you should do a full disaster recovery simulation at least once per quarter.
A comprehensive DRAAS solution from a supplier can potentially offer you the technology to recover your full services in 30 seconds, obviously today at a high cost, but you can opt for a slower RTO. These services should include a quarterly disaster recovery simulation where everything is restored in a new environment and users can test the system and the RPO – up to how long ago was the data recovered.
I would highly recommend putting in place backup and DRAAS service for critical infra-structure. The most important thing is to hold the service provider accountable to the required RPO and RTO and to run the necessary simulations.
Backup and disaster recovery are more and more being referred to as BDR, they should be managed as one.
NRAAS is a new concept that is provided by very few managed service providers. It is highly complex and involves replicating the network structure in the recovery environment to match the minimum requirement from the client organisation for that organisation to be able to recover the infra-structure servers and the network services to enable users to logon and use the recovered services ALMOST seamlessly.
When done correctly in combination with DRAAS, a simple DNS change is all that is required at time of disaster or simulation to point users to the new recovered environment and allow them to continue working.
Building cyber resilience in an organisation is done to enable it to anticipate, withstand and recover from adverse cyber events. Really, it’s about being able to continue with normal operations while preventing, detecting, controlling, and recovering from threats to data and infrastructure.
Cyber resilience is made up of four elements:
The benefits of implementing a cyber resilience program are obvious and include:
White hat hackers or ethical hackers are cyber security and IT experts who use their skills for good. They are typically working as consultants or in house and perform various testing of IT networks and infra-structure to ensure these are impenetrable.
It is critical and should be part of any IT project to engage cyber security professionals to perform penetration tests and ongoing vulnerability scans.
Cyber Incident response is something you want to be prepared for but never actually have to do in real life. Building attack response plans and rehearsing them is crucial as being prepared when the world around you appears to be disintegrating (literally with a ransomware attack you can see files being encrypted) is advantageous.
A calm, measured, structured response where the issues are identified, isolated, forensic evidence is a gathered and plans are executed to rebuild systems is essential.
The organization may need multiple teams at work, those identifying and isolating the problem, those in the background beginning disaster recovery procedures to bring up systems in an alternate location, and those gathering evidence to build a forensic knowledge base of what has happened to ensure hardening and resilience building once this event is completed.
I would recommend building cyber incident response plans in the following manner, firstly an overarching plan that is executed for any cyber incident, this enables the identification of the type of incident. Thereafter a cyber incident response plan per type of incident must be created. Ideally one can purchase pre-built plans covering this functionality and then adapt them to your specific organization.
If your organization does any software development or has systems built for it, or consumes SAAS solutions that are hosted, you need to consider the security of the software powering those systems.
Software systems are layered, they run on hardware located in data centers, on servers with operating systems and 3rd party integrated tools, they use database software to store information, they have server side and client-side functionality. They are super complex and security in these environments needs to be fully understood and wherever weaknesses and risk are identified these need to be mitigated.
This is a huge subject and books have been written about it. A quick entry point to understand more is to look at the OWASP top 10. OWASP (Open Web Application Security Project) is a non-profit that works to improve the security of software. Their mission is “No more insecure software”.
Their top 10 security risks for 2021 were:
It is a lot to think about and a lot to deal with. Most organisations want to have a more robust security stance, but do not know how to go about it. The skills available are also in very high demand, there are over 3,500,000 open cyber security jobs worldwide.
How to get started is to go through all the areas discussed here and implement the required solutions, it can be incremental, it can be in stages, it can be budgeted for over time, but BEGIN.
Article 30 of the General Data Protection Regulation (GDPR) stipulates that organisations maintain a record of their data processing activities....
DPO is an acronym for Data Protection Officer. A DPO is a person who is given formal responsibility for data protection compliance within an...
POPIA is the South African personal information privacy law, the Protection of Personal Information Act. All organisations collecting, holding and...