BSEE
yber security is defined as the state of protecting information from attack by
CYBER SECURITY
The cyber resilience model C
identifying risks and
establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable.
A different approach
For too long, organisaons have sought the holy grail of 100 per cent cyber security. But security is never absolute; it is essenal to understand that a breach is inevitable. It is the way in which organisaons respond to a cyber security breach that is crical. Alan Calder, chief execuve of GRC Internaonal plc, parent company of IT Governance, explains the fundamental importance of creang a ‘cyber resilient model’
Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93 per cent of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required. Breaches occur routinely, and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy. What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact, a model that is predicated on achieving cyber resilience, not cyber security.
Cyber essentials
To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards- based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.
At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.
Resilience journey
This is, of course, an evolution. For a smaller or start up business, a simple first step is to adopt cyber essentials,
8 BUILDING SERVICES & ENVIRONMENTAL ENGINEER APRIL 2019
five basic controls which should prevent around 80 per cent of Internet-borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted website be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details?
Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.
Multilayered response
Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement.
Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi- layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.
www.grci.group
‘
To create a cyber resilience model an
organisaon needs to totally reconsider security provision
’
RC International Group plc is the holding company for a group of companies providing a range of products and services to address the IT governance, risk management and compliance requirements of organisations to enable them to meet the commercial requirements and regulatory standards that are now in force, or are coming into force, in these areas. The Group is incorporated in the United Kingdom and operates a one-stop-shop that helps customers source, deploy and/or integrate an appropriate mix of solutions that focus on cyber security and cyber resilience, data protection, PCI DSS, penetration testing, management standards such as ISO/IEC 27001 and ISO 22301, and Cyber Essentials.
About GRC International G
The Group is based in Ely near Cambridge, England, where it has its head office on the Cambridgeshire Business Park. In addition, the Group has offices in Edinburgh and Drogheda, Eire (which opened in April 2017) and intends to open an office New York, USA in the first quarter of 2018.
The Group’s products and services are designed to help its customers to protect the data they hold by enabling them to: 1. Understand what their legal, regulatory and commercial obligations are;
2. Identify the risks that are exist in their data protection and cyber security systems and procedures;
3. Design and put in place systems and procedures to train their management and employees so that the customer can meet their obligations and address the risks identified; and 4. Obtain certification such as: ISO/IEC 27001; PCI DSS; or Cyber Essentials.
Having led ISO 27001 implementations since the inception of the Standard, the Group’s strong global cyber security presence gives it the knowledge and insight to provide valuable advice, tailored to meet any organisation’s specific needs or budget. GRC has successfully helped over 400 companies achieve ISO 27001 certification, proving their compliance with one of the world’s most demanding management system standards.
Read the latest at:
www.bsee.co.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86 |
Page 87 |
Page 88 |
Page 89 |
Page 90