The myth of doing “the basics” in cyber security

The myth of covering the basics in cyber security.

Almost every cyber incident covered by the media is followed by the same analysis – the criminals got in using well known techniques. To protect yourself, therefore, you need to cover these basic attacks.

In this sense, cyber security breaches are like traditional burglary. Thieves have long exploited typical oversights people make in securing their homes: an open window or door is still the most common way they get in. In business, there’s a similar analogy between physical and cyber security:

·       Are all the doors and windows closed? (is the firewall properly configured?)

·       Is CCTV installed? (Are protective monitoring system logs turned on?)

·       Have you turned the alarm system on? (Is intrusion detection enabled?)

·       Is the alarm monitored? (Is there a Security Operations Centre?)

It’s true that doing basic things like these will make a company less likely to be the victim of a crime.  The myth is that this is sufficient for businesses, particularly larger ones.  This is because, as organisations scale, covering the basics quickly becomes an enormous task. If you have just one office, then making sure you’ve locked all the doors is easy, but if you’re a multinational with thousands of properties or a private equity company owning a portfolio of companies it’s not. A more scalable approach is necessary.

As your organisation grows, doing ‘the basics’ means different things at different levels.

This applies to cyber security too.  The problem is that many in cyber security have got into the bad habit of asking the same questions at every level. For example, Cyber Essentials (a UK government-recommended standard) is an excellent tool for a technician.  It was never designed, however, as a guide for managers’ responsibilities, much less the board of a multi-national. And the myth that it is, was a contributing factor to hacks like the one Jaguar Land Rover.

So what are the cyber security questions that senior leaders should be asking?  

Helpfully, the UK NCSC has already provided a useful set, called the Tool for Boards.  Where many companies doing this on their own get stuck, however, is in providing answers to the often deceptively simple questions.  Sometimes, when Bee-net facilitates workshops for companies going through these, we find that questions like ‘do you have a Cyber Risk Strategy?’ produce embarrassed silence or a list of technical fixes or tactical activities such as anti-phishing training. Not only do board members often not know what a Cyber Risk Strategy is, they don’t know what the strategic cyber risks specific to their company are either: sometimes they say they thought that this was all being looked after by the head of IT or their CTO. Understanding cyber risks in terms of their effect on strategic objectives is a key shift. The organisation’s Cyber Risk Strategy is then the approach taken to mitigate these risks. These two elements form ‘the basics’ of cyber security at the senior leader’s level.

That many companies struggle to articulate their strategic cyber risks particularly applies to private equity-backed or other high growth companies, where culture and governance can lag the growth in value – they have not yet internalised a consistent method for developing and prioritising cyber risks. Bee-net solves this problem with our unique Cyber Maturity Accelerator™. Make sure you subscribe to our newsletter to be the first to receive our upcoming whitepaper on the first step in this four-step framework, Prioritisation.

Next
Next

For private equity firms: why compliance-led cyber security will get you hacked