As the number of cyber attacks hitting the news continues to grow, Nick Denning, CEO of IT consultancy Diegesis and veteran of multiple successful digital transformation projects, looks at how best to protect your own organisation and identify the ‘weakest link’ in your security which might leave you exposed.
Cyberattacks are headline news
This year has seen a number of high profile cyberattacks making the news. A snapshot of just the month of May saw the UK press reporting cyberattacks affecting organisations as diverse as the Ministry of Defence, NHS Dumfries and Galloway, and Christie’s.
NHS Dumfries and Galloway saw a ‘proof pack’ sample of data including some children’s mental health records published by criminals to the dark web. The threat was that if a ransom was not paid, more details would follow.
In a completely different sector, auction house Christie’s website was hacked, shutting out online bidders for $850m worth of artworks in the most important sales of the year. The company had to go back to in-person and phone bidding only.
A BBC report days later told of an increase of 55% in cyber incidents in education and childcare in 2023 over 2022[i]. Stories about individual schools may only make the local press but attacks have led to data breaches, cancelled lessons, and staff and pupils unable to access systems or even school buildings.
In summary the threat is only getting bigger. Yet attacks are still being successful due not doing the simple things
Find your weakest link
Cyber security companies are always trying to sell the next new thing to keep your company safe. However, do the basics well to make your organisation more secure. Think of your organisation as a property. There is no point investing in barbed-wire and searchlights at the front of your house, if you have holes in the fence at the back! Take a 360-degree view of security and build it progressively. Invest in monitoring to identify your weakest link. Then target spending to fix that weakness with the most economical solution.
Many cyberattacks opportunistically blast large numbers of organisations and individuals. Compare this to the petty thief who walks down a street in summer and targets the houses with wide open windows or piles of mail on the door mat. If you do not meet the criteria for easy pickings the thief moves on. What’s specific to your organisation that can be actioned easily to ensure the cyber criminals keep walking? It might be as simple as changing passwords more frequently or better educating your staff about threats, policies and processes.
Build your walls
Once you have built a robust wall—reinforce it progressively, identifying extra defences you’ll need to buy, possibly replace and bolster later. For example, your organisation’s wall could be constructed from a collection of products including firewalls, anti-malware, VPNs, vulnerability assessments and asset management, combined to meet your specific circumstances.
All these elements can be acquired at a modest cost and will give you basic protections. Next deeper analysis can uncover less obvious vulnerabilities. For example, running analytics to query your email system can identify whether data is being exported or accessed by cybercriminals. You could add further services that protect against phishing or to scan the dark web to see if any of your data is already out there or up for sale. Such solutions build your wall higher and increase your security.
Do your suppliers make you vulnerable?
In today’s connected world where crucial services and functions are increasingly provided by third parties, vulnerabilities at your suppliers and partners might also leave you exposed. The recent data breach at the Ministry of Defence data saw UK armed forces’ personal details accessed by hackers through a supplier.
The details of 270,000 armed forces personnel were accessed in a cyber espionage operation targeting a contractor responsible for managing the MOD’s payroll system. This raises specific questions about the security of the UK defence sector supply chain and the procedures used to select vendors and contractors, but does your industry and organisation also have similar vulnerabilities?
Forthcoming legislation means you should act now
Two pieces of EU-driven legislation seek to address supply chain security and resilience. DORA, the Digital Operational Resilience Act sets out a harmonised approach to digital operational resilience across the EU’s financial sector and comes into force in January 2025. If you are doing business with the finance sector in Europe and want this to continue you also have to be compliant.
DORA is based on five cyber security pillars: risk management, incident response processes, incident reporting, resilience testing and third-party risk management. Doing all you can to prevent attacks in the first place will save your organisation potential business interruptions, effort and reputational damage.
Similarly, the EU’s NIS2 directive, which addresses the topic of cyber security and the potential impact of attacks on critical infrastructure, is due to be incorporated into national legislation by October, 2024. NIS2 applies to critical areas such as transport, energy and healthcare and if you are a supplier into the EU you’ll be affected so need to take action now. The controls to be fully compliant and meet regulation requirements maybe significant so make sure the basics are done. Forewarned is forearmed.
Help is at hand
Just as you wouldn’t expect to build a wall around your property yourself, the cyber security equivalent of architects and builders are on hand to help.
Diegesis has expertise from numerous digital transformation projects looking at how legacy systems function and how they can be evolved to embrace new technologies. We understand the principles of “secure by design” how systems work together and where the vulnerabilities may be. Retrofitting is difficult yet there are protections that can be put in place.
Our partners such as CyberAlarm can also help in identifying an organisation’s weakest link. Our sister company, Policy Monitor, offers complementary solutions which will ensure people in your organisation remain aware of cyber threats and what to do about them. It is time to take action to stay safe, and out of the headlines.
Nick Denning is the founder and CEO of Diegesis.