By George Ralph
I read an article recently in the FT that suggested we should accept that cyber hackers already have access to our extended networks. That no matter how sophisticated our cyber security, there is always a way in for the ever more prevalent community of cyber hackers. This doesn’t necessarily relate to your own firms cyber hygiene; we are all to a degree relying on the good governance of our suppliers, clients and partners to secure their own systems to the same level as we do in order to ensure a watertight cybersecurity solution.
While the zero trust model (where you assume every communication in to your business should not be trusted) does work, there is also now a reason to start to change our thinking around this. No solution remains 100% watertight against attack, as the complexity of attacks increases all the time. Cyber attacks, particularly ransomware attacks, are on the increase globally and continuing to rise. We need to continue to build on the zero trust model to build defences that are a step ahead of the cyber hackers. This should not be seen as defeatist; it is realistic and strategic.
It is absolutely vital for every organisation to be aware of what their critical data is and where it is stored. For most of us, this is where the value is within our businesses and what the hackers are looking for access to when they attempt to breach our systems. Once you have this information, the next step is to review who has access to that data, how it is accessed and whether each user needs access to what they have access to. Auditing your user access is good cyber hygiene and should be included in your day-to-day operational practices anyway. A great place to start is to build out a DPIA (data privacy impact assessment) something the ICO regularly advice alongside a robust risk management process for technology will see you in good stead.
Next, review your supply chain relationships and communications governance. Supply chain access passwords are often the biggest offender in terms of cyber breach. It is absolutely imperative that your team are fully trained and understand the consequences of any communications or shared information they may have used to ease other processes. Clear and concise guidelines within supplier agreements will help deliver the correct level of governance. Alongside the security perspective, this is also essential knowledge for any firm to be able to share with the regulator and to fulfil any operational due diligence requirements from investors too. It is vital to be able to show evidence of your supplier DD checks and of course the FP16/5 guidance does go into this in some detail.
At RFA we have been talking for some time about mitigating risk of attack, and there are many processes you can put in place to help reduce the likelihood of any breach of your own systems. Process and procedure are key. Basic instructions for staff working in a satellite office or remotely should be readily available. Different access levels for different users in a must. Using collaboration tools correctly and securely will really reduce your risk of attack. Finally, work with an outsourced provider that has specialist teams that have the experience to handle managing your cyber security defences, from managed detection and response and a security operations centre which can support your firm and deliver reporting on your systems that help you mitigate against cyber attack.