Many organisations approach cybersecurity as a compliance problem, which can lead to their IT function focusing on the technical controls contained within standards such as ISO27001 or NIST. This almost transforms security into a ‘box ticking exercise’ of purchasing solutions to implement controls.
The result can be disjointed and fail to address areas of risk. An extreme example is a cyberbreach I investigated at a company some years ago. The IT team considered their risk to be low, feeling that their data was not worth stealing, and invested in security solutions to achieve compliance:
- remote disaster recovery site with replicated filesystem;
- full packet network capture for investigations;
- SIEM solution;
- anti-virus deployed across estate;
- jump box for remote administrator access.
Due to funding constraints they had overlooked a publicly accessible webserver operating from within their core network. This system was running Windows Server 2003, an outdated version of JBoss and was also their central admin jump box. When IT requested funding to upgrade, they failed to present it in terms of benefits to the business and were seen as a cost: IT ‘wanting the latest shiny toys’ again.
Unfortunately, this made it easy for an attacker to penetrate their network, gain administrator rights and then spread ransomware throughout their entire estate; encrypting over 600 servers and desktop machines at midnight on Friday.
As you can imagine, the scene on Monday morning when they discovered that their entire operation had been brought to a halt was chaotic. With no incident response or crisis plans, they made the business decision to pay the initial ransom of £40,000 to recover and be operational again. The attackers then demanded an additional £40,000 to cover the cost of providing so many decryption keys which, being insignificant compared with the business interruption caused, was also paid!
During the investigation, it transpired that the technical controls they had invested in were ineffective. The remote disaster recovery site was encrypted and beyond recovery. As the attack was over SSL, network capture was ineffective and transpired to only capture inbound traffic. Further, their SIEM solution had not been deployed properly.
As is common with many ransomware attacks, the malicious executable was generated specifically for this attack. This meant the anti-virus, which is a reactionary tool, was unable to detect or block the threat.
While the company was right—their data was not valuable to others and we found no evidence of it having been taken—they had failed to consider how valuable their data was to them and the severe implications for the business should they be unable to access it.
Consequently, I’d advocate a risk-based approach to cybersecurity. It is essential that businesses identify their ‘crown jewels’ both in terms of personal data and key operational systems that should then be prioritised for security investment. Organisations should also regularly test their incident response plans and defences, providing assurance that they are fit-for-purpose and, more importantly, using any lessons learned to continuously improve.
While compliance does not guarantee security, a risk-based approach to cybersecurity should include compliance as a business impact along with financial and reputational impacts.
I will be exploring this further in a BCS webinar later in the year. You can find more details on the AlixPartners risk-based approach at What CEOs Need To Do Before The Next Threat