Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a welcome addition to the roster of material available to help organisations to develop or refine their security strategy. The team at BH Consulting has picked out key points from the guide, and added some more context and analysis.
The report’s non-technical language show that it’s clearly intended for a wide audience. In a move that’s doubtless designed to help spread the message widely, the document presents its 12 steps in three formats: as an infographic (see below), on a single page of text, and then as longer descriptions for each step.
Preparing for ‘when’, not ‘if’
Reading through the guide, it’s striking how it starts from the premise that attacks are already going on. As the introduction makes clear:
“Cyberattacks make headlines on a daily basis. It’s no longer a question of if your company will be breached, or even when, it’s likely to have happened already. The real question is whether you will know and are you prepared?”
This language echoes the Central Bank of Ireland’s 2016 guidance which warned about this risk in similarly stark terms. “Firms should assume that they will be subject to a successful cyber-attack or business interruption”, the bank said.
A resilient approach to security
The NCSC’s high-level document aims to make businesses more resilient to security incidents. That’s an approach we can all get behind. In several blogs from last year, we looked at this very issue through a business and risk lens. In one post, Brian Honan suggested a four-step process to improving resilience:
- Identify key systems and services for your business
- Look at the key risks and threats to those services
- Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
- Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.
Looking back, it’s interesting how many of the themes overlap with the NCSC guidance. As we noted at the time, this is about thinking of security as a business problem, not a technological one.
Obviously, businesses still need to put effort into preventing certain types of attacks and security incidents. But it’s arguably even more important to put measures in place to keep the business running no matter what. Resilience takes many forms: after attackers defaced the website for the Luas, the tram service kept running but it took nearly a month for the site to reopen.
Rather than advising a ‘big bang’ culture change to embrace security, the guide suggests using the steps as an activity plan to undertake over a 12-month period. The report spends a lot of time at a high level before getting into specific actions to take, or naming particular tools to use. In fact, the first five steps don’t look in-depth at technology. Instead, they’re about orienting a business to think about security in a systematic way.
The guide is free to download from here. Step one covers governance and organisation: that means getting senior management support for a cybersecurity plan. Next comes the step of identifying the assets that matter most. (This is a broad list, covering everything from business goals, products, and services through to people, processes technology and data infrastructure underpinning them.) The steps then follow through to identifying threats and defining risk appetite.
Interestingly, the document advises focusing on education and awareness before it covers basic technical protections. These include secure configuration, patch management, firewalls, anti-malware, removable media controls, remote access controls, and encryption.
(For organisations that prefer to skip directly to this step, the guide offers a ‘minimum baseline’ of essentials protection that includes boundary firewalls, secure configuration, patch management, malware protection, encryption and access controls.)
Step seven involves setting up the ability to monitor for suspicious activity. In another nod to the broad mix of businesses this advice applies to, the guide notes that security monitoring can range from a basic alerting system through to a more sophisticated security operations centre.
The subsequent steps cover putting in place post-incident measures. They include having a formal cyber incident management team, establishing recovery plans, and implementing extra protections to supplement the basic controls. Step 11 advises running a mocked-up exercise to test how the management would react to a security breach.
Step 12 and context
The lifecycle finishes on creating an ongoing cyber risk management lifecycle. This twelfth and final action needs to be part of ‘business as usual’, the NCSC advises. The guide strikes a fair balance between useful advice and appealing to the broadest possible audience. The ‘practical considerations’ page, which isn’t part of the 12 steps, lays out the message in simple terms. A company’s level of security will vary depending on lots of factors like the potential threats that affect it the most, the level of risk it’s prepared to accept, and the amount of budgetary and people resources it can afford to allocate.
Valerie Lyons, chief operations officer with BH Consulting, says the guide provides a really good grouping of the various areas in which to approach cyber resilience. However, she feels some areas need clarification. For example, using months as a measure could be misleading. “Identifying what matters most can take a day in a small accounting office, and take a year in a large hospital. If we take May for instance, ‘focus on education and awareness’, this should in fact be a throughout-the-year activity engrained throughout every step. However, the steps by virtue of their month-by-month presentation allow a plan to be developed,” Valerie says.
Beyond the guide: extra steps
It’s arguable that the step of creating a cyber risk management lifecycle, which the guide puts in December, should in fact be in January. “We should determine up front what the regulatory landscape looks like and the resources required to achieve it,” Valerie says.
The guide would also benefit from clear definitions of cyber resilience, and what cyber risk means to the organisation. Instead of only focusing on the threat of external attacks, businesses should weigh up the risk from their own users’ accidental or deliberate actions.
As well as the practical steps in the guide, Valerie says organisations can also run tests, red teaming exercises, and table-top scenarios to test their security. Lastly, she recommends that businesses should manage cyber risk like all other risks, and it should be led by the chief risk officer, or risk unit.
The Irish NCSC report is a welcome addition to a growing crop of business-focused security advice from trusted, independent sources. There’s a wealth of free material for businesses of all sizes that are only starting to get the security message. ENISA, the European Union agency for network and information security, regularly publishes advice which you can find here. Similarly, The UK National Cyber Security Centre also publishes excellent, easy-to-read advice. Think of it as a form of public immunisation. The more organisations are vaccinated against the most common security risks, the safer we’ll all be.