Cyber security – reducing the attack surface
What is cyber security?
If we mention the term ‘CIA’ what would be the first thing that comes to mind?
More than likely, it is the US intelligence agency that we hear about in the news or movies. However, CIA in cyber security has nothing to do with the intelligence agency.
Instead, CIA in cyber security stands for – Confidentiality, Integrity, and Availability.
It is also otherwise known as the CIA Triad, the golden triangle of components that provide clear guidance for organisations to develop stronger and more effective security best practices and policies.
Confidentiality refers to data, objects and resources are protected from unauthorised viewing and other access.
Integrity means that data is protected from unauthorised changes, ensuring that it remains reliable and correct.
Availability means that authorised users have access to the systems and the resources they need.
Why it is important?
Cyber security is vital to guard against regulatory and reputational damage, financial losses and harm to individuals.
The Information Commissioners Office (ICO) require organisations that handle personal information, must ensure they have adequate cyber security controls in place. Failure to do so will not only lead to vulnerability to an attack, but also substantial fines for non-compliance. There are also many industry specific regulations that seek to enforce the protection of information loss through attack or leakage.
The reputational risk of being hacked is significant. This includes negative publicity and loss of trust from customers and any future business relationships.
Cyber attacks can lead to substantial financial losses if they result in theft of assets such as data, intellectual property, or money. Ransomware can affect productivity and a denial-of-service (DOS) attack could prevent profit generating activities such as taking payments and online sales.
Involvement in an attack as a target, subject or as collateral damage, can cause stress and anxiety to employees and customers. Attacks on critical national infrastructure such as utility supplies, could have a catastrophic outcome to the health and safety of those affected.
According to the latest Cyber Security Breaches Survey, conducted by the UK Department for Digital, Culture, Media & Sport, 46% of businesses have experienced cyber attacks in the last 12 months. The UK has an estimated 5.5 million companies, this suggests that approximately 2.5 million companies are likely to have been hit with a data breach.
What is alarming is that once a hacker has gained access to a system, it can take 208 days for the breach to be discovered, then an additional 80 days to contain that breach.
It’s clear to see how important it is to develop and maintain a robust security practice to keep your organisation, data and customers better protected.
So, how can we implement good cyber security?
People, process, technology. The three pillars.
There is no silver bullet solution to become cyber secure. However, a holistic approach including people, process and technology can significantly lower the risk of a successful attack.
According to a study by IBM, human error is the main cause of 95% of cyber security breaches.
Human error will never be eradicated as ‘to err is human’.
Educating employees and empowering them to act securely, in conjunction with secure processes and the right technology, will both lower the probability of a successful attack, and the severity of an attack should it succeed.
It is essential to set employees up for success by reducing the room for possible error. Prevent unauthorised access and actions at a technology level, where possible, and implement processes such as the ‘principle of least privileges’; i.e. a user or device should only have access to the specific data or applications needed to complete a required task.
This will also need to be balanced with useability, or security measures will be evaded, leaving your organisation open to new lines of attack.
Who is responsible for cyber security?
Everyone is responsible for cyber security. Not just the dedicated IT team, but the shared responsibility of everyone within an organisation. All working together, observing good cyber security habits.
It’s an important part of being an employee, much like turning up for work on time.
Cyber security must be woven into the fabric of workplaces and there are a few best practice items that can be put in place today to help with establishing good habits. Such as, using strong passwords and keeping them confidential; turning on two-factor authentication; deleting emails from unknown senders; avoiding downloading attachments from suspicious sources; keeping antivirus software up to date; installing firewalls and software updates as soon as they become available and backing up data regularly to your approved cloud.
When it comes to purchasing or refreshing technology, think about any room for error and how it could be locked down. Think about setting people up for success and feeding into the secure culture mindset. Think about balancing the practical requirements of any technology and how security controls can complement it rather than complicate it.
For more information on the cyber security of your digital assets, contact the CyberHive team on [email protected]
This article was written for The Security Professional Officer Magazine
Get in touch
If you have a question or would like some more information, contact us today.