The cyberattack at Jaguar Land Rover showed how an attack on a large player in a supply chain can also affect hundreds of other businesses and even impact national GDP. Other attacks, many in the public sector, have illustrated how criminals have used smaller suppliers as a way into bigger organisations.
Supply chains need to work together to improve cyber security and learn from participants of all sizes. What are the lessons that public sector operations can take from entrepreneurs and SMEs about creating a strong cyber security culture?
How to foster a strong security culture
Many aspects of security are second nature to some organisations. Measures linked to Health and Safety make obvious the need for physical safety and security measures such as closing doors, not letting strangers into the building and activating alarms. Fire safety officers are appointed and drills run regularly. Such measures seem baked into employee thinking. How can a similar ethos for virtual security be achieved?
The principles are the same for all organisations but practices may vary based on size:
- Finding strategies to keep security at the top of mind goes a long way to keep cyber criminals at bay. A simple way to keep employees alert is to change the screen saver on any unattended workplace devices, highlighting how easy it is to access data physically or virtually.
- An SME is more likely to have a ‘name and shame’ policy if they find employees being lax on security. The flipside is highlighting or rewarding staff who report security concerns promptly.
- Embed security responsibilities. SMEs may not have the ‘luxury’ of large IT departments but having an individual as an active system/security administrator who politely calls out errors quickly, can be more effective than a central IT team that only follows up by email often after a delay.
- Gamifying training as part of the culture makes it more interesting. It stops it becoming just box ticking.
- Involving everyone in cyber resilience exercises makes it personal and teams are more likely to watch out for each other.
SMEs can quickly embed culture around the obvious: strong identity management and passwords, password management and use of vaults. Likewise verifying financial requests through a secondary channel, and encouraging staff to spot phishing emails.
Prioritise resilience
For SMEs effective cyber security is a strategic necessity to protect operations and reputation. It is often a survival issue and increasingly a competitive advantage not merely a compliance burden.
The public sector can learn from these SME resilience behaviours:
- Prioritise actions based on the actual impact to the business.
- Document worst case scenarios and what keeps you awake at night. Then work through these to identify how to satisfy yourself that the organisation can be more secure.
- Plan for business continuity steps that will be instigated when an attack happens, not just the prevention measures to stop attacks.
Think supply chain continuity, not just prevention
Many large organisations predominantly focus on prevention but have little in place on how to respond to successful attacks and breaches. For example, is it even possible to recover a system? Unless there is an immutable, incremental backup mechanism it may not be possible to recover data up to the point just before ransomware was detonated.
Additionally you need to think if a particular system can be recovered to a point that is consistent with all other integrated systems. If not, all systems must be rolled back to a global consistency point. Is there a transaction log that will allow a system to then be rolled forward by replaying business transactions, resubmitting orders received and deliveries sent out? Can the transactions with other integrated customers be reconciled? This is likely to require a significant effort. However, if you can restore enough to do business, you can at least complete financial reconciliation off line, hopefully!
Recent attacks on public sector organisations such as police forces, hospitals and councils highlight the importance of resilience in maintaining continuity in service provision. It is time to learn from all sources including robust policies from large organisations, risk management and agility from high performing SMEs.
This blog has been adapted from our article featured in Open Access Government.