Nick Denning, CEO of IT consultancy Diegesis, and veteran of multiple successful digital transformation projects, shares insights on protecting your organisation and identifying security vulnerabilities in the face of increasing cyberattacks
As the number of cyberattacks hitting the news continues to grow, learn here how best to protect your own organisation and identify the “weakest link” in your security. Starting with a look at cyberattacks in the headlines.
This year, a number of high-profile cyberattacks have been making the news. A snapshot of just the month of May saw the UK press reporting cyberattacks affecting organisations as diverse as the Ministry of Defence, NHS Dumfries and Galloway, and Christie’s.
NHS Dumfries and Galloway saw a ‘proof pack’ sample of data, including some children’s mental health records published by criminals to the dark web. The threat was that if a ransom was not paid, more details would follow.
NHS Dumfries and Galloway saw a ‘proof pack’ sample of data, including some children’s mental health records published by criminals to the dark web. The threat was that if a ransom was not paid, more details would follow.
A BBC report days later reported an increase of 55% in cyber incidents in education and childcare in 2023 over 2022. (1) Stories about individual schools may only make the local press. Still, attacks have led to data breaches, cancelled lessons, and staff and pupils being unable to access systems or even school buildings.
In summary, the threat is only getting bigger. Yet attacks are still being successful due to not doing the simple things.
Find your weakest link
Cyber security companies are always trying to sell the next new thing to keep your company safe. However, do the basics well to make your organisation more secure. Think of your organisation as a property. There is no point investing in barbed wire and searchlights at the front of your house if you have holes in the fence at the back! Take a 360-degree view of security and build it progressively. Invest in monitoring to identify your weakest link. Then, target spending to fix that weakness using the most economical solution.
Many cyberattacks opportunistically blast large numbers of organisations and individuals. Compare this to the petty thief who walks down a street in summer and targets the houses with wide open windows or piles of mail on the doormat. If you do not meet the criteria for easy pickings, the thief moves on. What’s specific to your organisation that can be actioned easily to ensure the cybercriminals keep walking? It might be as simple as changing passwords more frequently or better educating your staff about threats, policies and processes.
Build your defences against cyberattacks
Once you have built a robust wall – reinforce it progressively, identifying extra defences you’ll need to buy, or possibly replace and bolster later. For example, your organisation’s wall could be constructed from a collection of products, including firewalls, anti-malware, VPNs, vulnerability assessments, and asset management, combined to meet your specific circumstances.
modest cost and will give you basic protections. Next, a deeper analysis can uncover less obvious vulnerabilities. For example, running analytics to query your email system can identify whether data is being exported or accessed by cybercriminals. You could add further services that protect against phishing or scan the dark web to see if any of your data is already out there or up for sale. Such solutions build your wall higher and increase your security.
Do your suppliers make you vulnerable?
In today’s connected world, where crucial services and functions are increasingly provided by third parties, vulnerabilities at your suppliers and partners might also leave you exposed. The recent data breach at the Ministry of Defence saw hackers access personal details of UK armed forces through
a supplier.
The details of 270,000 armed forces personnel were accessed in a cyber espionage operation targeting a contractor responsible for managing the MOD’s payroll system. This raises specific questions about the security of the UK defence sector supply chain and the procedures used to select vendors and contractors. However, does your industry and organisation also have similar vulnerabilities?
Forthcoming legislation means you should act now
Two pieces of EU-driven legislation seek to address supply chain security and resilience. DORA, the Digital Operational Resilience Act, sets out a harmonised approach to digital operational resilience across the EU’s financial sector and comes into force in January 2025. If you are doing business with the finance sector in Europe and want this to continue, you also have to be compliant.
DORA is based on five cyber security pillars: risk management, incident response processes, incident reporting, resilience testing and third-party risk management. Doing all you can to prevent attacks in the first place will save your organisation potential business interruptions, effort and reputational damage.
Similarly, the EU’s NIS2 directive, which addresses the topic of cyber security and the potential impact of attacks on critical infrastructure, is due to be incorporated into national legislation by October 2024. NIS2 applies to critical areas such as transport, energy and healthcare, and if you are a supplier to the EU, you’ll be affected, so you need to take action now. The controls to be fully compliant and meet regulation requirements may be significant, so make sure the basics are done. Forewarned is forearmed.
Help is at hand
Just as you wouldn’t expect to build a wall around your property yourself, the cyber security equivalent of architects and builders are on hand to help.
Diegesis has expertise from numerous digital transformation projects that examine how legacy systems function and can evolve to embrace new technologies. We understand the principles of “secure by design”, how systems work together, and where vulnerabilities may exist. Retrofitting is difficult, yet there are protections that can be put in place.
Our partners, such as CyberAlarm, can also help identify an organisation’s weakest link. Our sister company, Policy Monitor, offers complementary solutions that will ensure people in your organisation remain aware of cyber threats and what to do about them. It is time to take action to stay safe and out of the headlines.
Nick Denning is the founder and CEO of Diegesis.
Visit www.diegesis.co.uk and/or www.policymonitor.co.uk for more information.
Reference
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.