It’s been an unusual year in many ways. We have had to manage the ongoing demands from our workforce around their ability to work from home, with its accompanying reliance on technology, and there has been a continuing rise in ransomware and the ongoing battle to protect data.
What have we learnt from this? That we cannot take anything for granted and that we need to understand the impact of cyber security on the business, how to engage and empower the workforce, and how to understand our vulnerabilities. That requires a focus on three areas: people, processes and systems.
People – aligning cyber with business purpose
With our increased reliance on technology for growth, to change the way businesses deliver, and to enable effective working from home, there is a clear need to engage and empower the board and the workforce through demystifying “cyber”.
This starts with a conversation about how to grow the business safely in a digital world. There are practical ways to do this, including simulation exercises and asking the workforce to help develop solutions that explicitly support business objectives.
Simulation exercises focus on the impact of a cyber security incident on the business and the decisions that are required. They bring to life what action an organisation needs to plan for. When a senior leader says during a board-level ransomware simulation, “I’d never considered we wouldn’t be able to pay our staff”, you know they are recognising the implications.
The bigger challenge, though, is to tackle the “us” and “them” mentality that exists in many organisations, where employees see the word “cyber” as negative or incomprehensible – and an area handled by others (“Oh, you do IT”). This creates an alienated audience who do not see how their attitudes and behaviour are critical to an effective cyber security culture. Tackling this means aligning cyber objectives with the business purpose by bringing people into the conversation and focusing on business-based risks rather than a technical discussion.
In the case of one organisation, they are proud of the work they do to maximise the safety of UK citizens, so they have a strong “protect” element to their culture. This is being used to develop messaging that engages the workforce in owning cyber solutions as part of their business.
Processes – make my life easy, please
We consistently talk about embedding the right security in systems and the right behaviours in our people. Equally important is having processes that encourage compliance and make it easier for users and systems to do the right things. That means designing processes that are easier to follow than to circumvent and testing them regularly.
Cate Pye, PA Consulting
This is being brought to life in a UK public sector regulator, which is engaging people to design processes that provide the freedom for employees to exploit new ways of working, while also operating within a security framework that protects the organisation, its people and the services delivered.
This will enable the organisation to respond more rapidly to the current threats and build the agility into its processes and workforce to remain one step ahead – whether it is facing ransomware, or the next threat.
Underpinning this is the need to learn by testing business continuity processes and making the changes needed to update those processes. This should recognise that where the supply chain facilitates many of the organisation’s functions, the exercises should be joint and realistic to ensure there is a process in place before the crisis hits, which clearly sets out responsibilities and areas requiring collaboration.
Systems – providing architecture and control
Going to market for solutions can be rather like going to the supermarket. If you do not have a clear idea of what you are trying to achieve, you might end up buying ingredients for a dessert when you really need to cook your main meal. Many organisations have invested in very good products for each of their needs, but they may not work well together. To avoid this, a clear view of what the business needs and the architecture to support it is required, otherwise you risk ending up with incompatible or incomplete systems that make integration expensive or impossible.
Whoever provides your systems, you are still responsible for the protection of your own and your customers’ data, so there is still a need to ensure that your security controls work and you understand their limitations. While many systems have controls built in, and cloud providers will often offer a continuously improving set of security features, you still need to do your own checks.
The golden rules are to test your controls and don’t assume they work – for example, backups as well as intrusion protection, antivirus and administrative controls and procedures. Then, if your controls require configuration, check that the configuration is correct through peer review, audit and testing.
At the same time, you need to develop your controls to meet today’s threats, accepting that they may be different from yesterday’s threats. In all this, you cannot assume because you have controls in place that they are protecting you and that the cloud is somebody else’s server, so you need to make sure you’ve agreed mutual responsibilities to protect your information and data assets.
The most important security lesson of 2021 was that we shouldn’t become complacent. We’ve made huge progress in improving cyber security, and we should take a moment to congratulate our teams on the hard work that has achieved that. But the race is still on, the threats are increasing, and we have to continue to improve our cyber security to mitigate them.
Cate Pye is a cyber security expert at PA Consulting. Consultants Michael Christodoulides, Keith Chappell, Mark Needham and Chris Atkinson also contributed insights for this article.