Building Cyber Security Resilience
Cybersecurity operational resilience, in a nutshell, is the ability of an organisation’s information systems to continue operations in the event of a cyber-attack with minimum loss of time and resources (click here to read part I of this article).
There are several means of ensuring that an organisation can withstand a cyber-attack, and these involve developing certain capabilities and implementing relevant controls before the attacks. Some of the relevant controls include:
Relevant Cybersecurity Policies and Processes: Every organisation must have policies guiding the cybersecurity programme and relevant processes for the different cybersecurity functions. This will provide strategic direction and guidance to the cybersecurity team and, by outlining stepwise activities in the processes, will ensure that the team is prepared for cyber-attacks. Cybersecurity policies and processes should be developed for the following functions:
- Logging and Monitoring
- Incident Management
- Threat & Vulnerability Management
- Cyber Threat Intelligence
- Access Control
- Privileged Access Management
- Patch Management, etc
Security Operations Center (SOC): Depending on the size of the organisation, it may be important to establish a security operations centre (SOC). A SOC is the cybersecurity hub of an organisation tasked with continuously monitoring, analyzing and improving an organisation's cybersecurity posture, and preventing, detecting and responding to cyber incidents. A SOC would provide central visibility to the organisation on its cybersecurity posture by aggregating, parsing and analyzing logs of all security solutions within the organisation. Larger organisations are advised to establish their SOC, while medium to small organisations can contract managed security service providers (MSSPs) to provide SOC services for them.
Cyber-Threat Intelligence (CTI) Programme: Cyber-threat intelligence may just be an organisation's saving grace if/when they are victims of a cyber-attack. CTI involves collecting relevant information (intelligence) about current cyber threats and taking actionable steps to prevent these threats from materializing within the organisation. Smart cybersecurity teams ensure that they have a means of collecting internal and external cyber threat intelligence (subscribing to CTI feeds, implementing CTI solutions) and, with the obtained intelligence, update technology configurations and cybersecurity processes in preparation for possible attacks.
Essentially, a cyber-threat intelligence programme is key to cybersecurity operation resilience because it gives organisations time to prepare for the attack before they are actually attacked.
Regular Risk Assessments: Organisations must always beware of the cybersecurity risks their business may face. An organisation that has a functional cybersecurity risk programme will perform regular cyber risk assessments, develop a roadmap to mitigate all identified risks, take steps to limit risk exposure, and ensure proper documentation and monitoring of cyber risks. An organisation that engages in these activities would be better prepared for a cyber-attack.
Regular (in-house) Vulnerability Assessments: Just like risk assessments, vulnerability assessments are key to cybersecurity operational resilience. Organisations are advised to regularly assess their infrastructure for vulnerabilities which may be exploited by hackers. By doing this, these organisations would know how to budget their resources to ensure that these vulnerabilities are fixed and/or compensating controls are implemented.
Regularly Outsourced VAPT: Organisations can contract cybersecurity consultants to test the effectiveness of their security architecture by vulnerability assessment and penetration testing (VAPT). Performing these activities would allow them to understand how attackers may gain access to the organisation’s infrastructure and plan the process for limiting the attack surface.
Cybersecurity Awareness: Like in all cybersecurity, operational resilience depends heavily on the people. Therefore, organisations must invest in cybersecurity awareness training for their regular employees and their cybersecurity team. These trainings are important because regular employees need to know what to do when they suspect that their systems may have become compromised. Security engineers and analysts also need to fully understand the expectations of the team in managing security incidents.
Regular Compliance Self-Assessments: Depending on the industry, organisations are advised to participate in the compliance assessments of the different cybersecurity standards bodies (which apply to them). Some of these standards and regulations include ISO, PCI-DSS, CBN Framework, COBIT, etc.