public digitalThe public digital logo

Practical steps to becoming cyber safer

CYBER-SAFETY-AWARE.png

This month the UK House of Commons’ Public Accounts Committee has heard from Government IT leaders about the serious risks that cyber threats present for public services. This is a stark reminder of how big a threat cyber risks are to public services, the economy and civil society.

As we’ve blogged before, it isn’t possible to be 100 % ‘cyber safe’, since bad actors are constantly evolving their tactics to bypass even the strongest defences (and anyone who tells you otherwise is lying). There are, however, things that organisations should be doing to become ‘cyber safer’.

The thoughts below are designed to complement the hard work you're already doing and help you build a cyber posture and culture that gives you robust foundations. These will help you to be as prepared as possible when the worst happens.

The organisations who’ve been hit thought they had cyber risks managed

Cyber attacks are becoming increasingly common, affecting organisations of all sizes and across all sectors. Even large, well resourced organisations have been hit by serious cyber attacks, including: NHS 111, British Library, Capita, Royal Mail and Synovis (NHS blood services). The list continues to grow. Assume that these organisations were trying just as hard as you to protect their systems and data.

The only ‘safe’ bet is to assume that your controls won’t work

Standards help, until they don’t. Attackers don’t care about the compliance certificates you’ve earned; they’ll ruthlessly exploit any potential gaps that they’re able to find in your defences.

Scan your defences continuously — the bad people are, so you need to too. You will have vulnerabilities, no matter how hard you are working to prevent them. Consider how you could use a ‘Red team’ approach to find the weak points more quickly than the bad people do. Repeat this often.

Importantly, don’t make assumptions about security. You can't outsource risk. Using a well-known vendor or partner doesn't guarantee your systems are secure.

Are you doing enough to reduce risk by design?

Protecting your network is essential, but that’s not enough on its own. You will need to go further and put measures in place that will not only reduce the potential risks, but also the impacts that a successful attack could have.

  • Multi-factor authentication should be standard for all access to your systems. Newer passwordless authentication methods can help you to further increase your security and should be investigated.

  • Your support processes are a core part of your defences. Make sure that your support team is watching out for attempts to trick them into giving unauthorised access to your systems.

  • You can also reduce your risks by modernising the way your users access your systems. Increase your resilience by moving from client apps to web apps as quickly as possible, allowing you to remove common areas of vulnerability from your estate.

  • Deliver access securely over the web (without being dependent on your internal network), and enable secure access from any device — anywhere — as soon as you can.

  • Use a ‘zero trust’ approach to prevent a compromised device or account from compromising your whole network. Segment your network and minimise dependencies to the greatest extent possible to reduce the impact of a successful attack.

  • Use the cloud to support your security and resilience, and make sure that any ‘hybrid cloud’ you need for your services doesn’t compromise that.

  • Decommission legacy technology and purge data that is no longer needed as soon as you can. Do this continuously. If legacy systems can’t encrypt your data at rest, put those high up your decommissioning list.

Don’t forget your supply chain

The security of your supply chain could be your Achilles heel. Work to radically simplify and minimise the potential for risk (including your cyber defence supply chain - think Solar Winds, Kaseya and Crowdstrike).

Apply a ‘least possible trust’ approach to your supply chain to minimise the risk of backdoors into your systems — and only share the minimum data needed.

Develop a plan for how you’ll contain the risks presented by any supplier constraints or requirements (don’t let your suppliers’ legacy tech hold you back).

If key delivery partners are affected by a cyber attack, make sure that your business has done the work needed to help you understand and plan for the resilience of your service delivery. Even if your systems aren’t affected, data you’re responsible for and critical parts of your service operations can be.

Have a plan for the data impacts of an attack

Data breach or theft is as big a risk as systems being unavailable. Attackers are increasingly using threats to publish stolen data to attempt to extort from their victims. Make sure you’re prepared:

  • Understand the data you hold by making sure that your information asset register is complete and up to date. This will be an essential tool if you need to respond to the risks of stolen data.

  • Make sure that you are clear about your responsibilities for data and how you’ll respond if sensitive data is stolen by attackers. Your information governance and data protection team will have an essential role to play as part of a cyber response.

  • Establish strong connections with data-sharing partners. Involve them in developing and testing your cyber response plans to ensure you’re prepared to collaborate effectively in a crisis.

  • Data is critical to delivering high quality and efficient services, but the more data you hold and share, the greater your risks. Make sure that you only hold — and share — the minimum data needed.

Build a whole organisation culture that will support your resilience and response

A calm and purposeful approach to cyber will make it much easier for you to protect your systems and respond if you experience an attack. Being well prepared is a whole-organisation effort, not something that can just be left to your technology team.

We have blogged previously about the vital role of leadership in responding to a cyber incident and also in creating the conditions that will help you to be ‘cyber safer’. Our experiences and insights can support organisations in building a strong cyber culture, protecting data, and safeguarding customers against evolving cyber threats.

Written by