Who better to offer cyber security tips than an ethical hacker? At the recent AIRMIC Conference, Ken Munro, founder of cyber security firm Pen Test Partners, shared his insights with Lauren Folkard, Head of Cyber Insurance, London Market for Sompo International. Here are five key takeaways.
Keep up with the changing threat landscape
Cyber crime is no longer the preserve of disgruntled former employees, state actors, or lone wolves. It has been commercialised, with hacking as a paid-for service, and industrialised. Low-level operators will look for ways in, establish a foothold in a network, then sell that access on to others. Similarly, breached data will be resold to those who can monetise it. High-end attacks sponsored by nation states are less common, though it is important to assess and understand which actors might be interested in your data, and therefore the appropriate level of defense.
Check your defences
Is your cyber security consistent, or do you have weak spots in your defences? Where are the exceptions to the rule? When you apply updates, are some systems missed for fear of interrupting critical services? Find out which systems don’t have strong passwords –there will be some, often in unexpected places. Are all of your staff cyber-security compliant, right up to board level? Hackers exploit exceptions.
Have an active incident response plan
Your incident response plan should not be gathering dust in a drawer –it needs to be regularly tested. Backup, backup, backup –but also test and evaluate your backup and restore processes. Select vendors who know your systems and rehearse response exercises with you. Have a playbook -and accept that it may only get you through the first 24 hours of a cyber incident.
Instill security as a culture
Cyber security is not just an IT problem. Every organisation needs someone at or reporting to board level who can cut through jargon and help the board ask the right questions about security. When the board is able to make a correlation between cyber risk and monetary risk, it will be better informed to make decisions. A well-managed cyber incident can minimise reputational damage, and in some cases can even boost a company’s share price.
Trust to people power
Should something go awry with your organisation’s cyber security, threatening possible data loss or a ransomware demand, do you have an escalation process whereby someone is authorised to quickly shut down the network and preserve your data? If that decision has to go through a board-level approval process it may betoo late. Instead, think about how you can empower employees to make crucial decisions, without fear of censure.