Cyber Hygiene – A fundamental for Risk Mitigation

Good Cyber Hygiene is a fundamental requirement of risk mitigation.  The majority of board-level executives report concerns about cyber risks and their own organisations’ insufficient cyber security countermeasures. The last five years have certainly seen board interest increase, especially after U.S. retailer, Target, lost hundreds of millions of dollars as a result of having their customer database stolen. 

Since then cyber-attacks have increased in numbers and scale, and these days not a week goes by without another big brand being in the news for a similar breach. Furthermore, there is a deep appreciation at board level that no defensive strategy will be wholly effective in keeping 100% of attackers out. Yet, many businesses are not even getting the basics right, with simple controls like patching, being neglected.

The reality is that this is not because the board doesn’t listen, it’s because lower levels of management are trying to balance the costs of running their systems with pressure to reduce operating capital and streamline operations. The question is, how can businesses strike the right balance between keeping their systems safe and keeping the business moving forward at the pace that it’s accustomed to?

The majority of data breaches leverage known vulnerabilities

The majority of data breaches exploit weaknesses that could have been avoided by good cyber hygiene. Looking at the recent spate of ransomware outbreaks, known as WannaCry and NotPetya, if organisations had patched the Windows vulnerability when it was first released, they would have prevented WannaCry from spreading through their organisations two months later.

The issue is that operational teams are under pressure, and this is when compromises arise. They have an increasing workload that often sees implementation projects and line of business application development take precedence over basic service management processes, such as patching. But any experienced security operations manager knows that this approach only works for so long: what was once a small crack will spread into a large fracture that is much harder to address.

The Australian Signals Directorate (ASD) published the ASD Essential Eight: Strategies to Mitigate Cyber Security Incidents[1] in February 2017, highlighting the top security controls that organisations can use to mitigate the majority of cyber-attacks. Patching operating systems and applications are two of the easiest mitigation strategies to implement, along with restricting administrative privileges, disabling office Macros and taking a daily backup of important business data. If your operations teams can focus on keeping all of these security controls up to date and functional, then the majority of attacks will not be successful. Even if ransomware, such as WannaCry attacks your business, your backups can be used to quickly recover what’s important.

A white paper reviewing the ASD Essential Eight security controls and the importance of a 9th control, protective monitoring

Reporting Key Cyber Risk Metrics to the Board

Reporting cyber metrics to the board is important is managing risk

Executive boards don’t want to ignore cyber risk, but they don’t want to have to get into the detail of managing it either. It’s vital that security managers and operations teams find a way to convey their technical concerns to the board in a language they understand. If cyber security issues can be turned into risk metrics and analysis presented in terms of your business’s threat environment, along with risk exposures against preconceived tolerance levels you’ll focus the conversation on what’s really important.

All boards really want to know is, are we at risk and how much does it cost to fix it? Keep jargon out of board level discussions, especially technical jargon, but make sure to use language that doesn’t undermine the issue or reduce its impact. If the business uses an enterprise risk management framework, integrate the management of cyber risks into that rather than trying to go it alone with the security team, since the board already uses an enterprise risk lexicon that will resonate with them when you express the cyber risks of which they need to be aware.

Build a culture of security awareness

There are a variety of cyber security controls you can use to improve your cyber hygiene and make your business more secure and safe from the majority of modern cyber-attacks. However, commercial pressure can often force operations teams to compromise on simple cyber hygiene countermeasures, with the board only becoming aware of operational consequences after it’s too late – i.e. the business has already been hacked.

Boards need to be kept appraised of issues and understand that a certain percentage of operational funding is necessary to protect the company’s interests, since it keeps the lights on and the wolf from the door. When reporting cyber security risks to board members, remember to layer in succinct, factual commentary backed up with metrics on threats, risks and operational issues that matter (ones that could affect the company at the strategic level).

Finally, cyber resilience starts with the workforce and building a security-aware culture in the organisation. This is even more important than policies, processes, and operational systems since none of the security measures we’ve discussed above will guarantee 100% security. Training, communication plans and testing programmes (such as internal phishing drills), help you gauge how security aware your workforce is, thus allowing you to  target training on the areas that need it most.

Why not measure your organisation’s cyber posture using the Huntsman Security Scorecard.

[1] https://www.asd.gov.au/publications/protect/essential-eight-explained.htm

Measure Your Cyber Posture