At a time when most of us want to hear answers about how to keep our organisations safe and secure, Ciaran Martin, the National Cyber Security Centre’s chief executive, wants us to ask more questions.
As one of the nation’s top so-called securocrats, Martin’s authority in this area is unparalleled, which is why his call for business leaders to focus on answering basic cyber security questions is so refreshing.
We know dedicated nation-state hackers are successfully attacking the UK’s critical national infrastructure, while bedroom-based teenagers with crude online tools are causing havoc at FTSE 100 companies.
The business consequences of a breach are clear: the loss of consumer data and sensitive intellectual property; damaged relations with existing and prospective customers; and a reputational hammering in the press.
More data is being lost with each successful hack. And although the financial cost has dropped slightly this year, the actual cost of a breach will increase exponentially after fines from the EU’s General Data Protection Regulation (GDPR) come into force in 2018.
It’s common sense really: a poor grasp of the basics will increase an organisation’s risk profile.
So, what are the cyber security questions business executives need to answer? In a speech to UK technologists last month, Martin shared the questions he always asks CEOs who express their worry about cyber threats.
Can you operate your own security features or do you get somebody else to do it for you?;
What did your last penetration test tell you?;
If you had an insider threat, what will they have access to?; and
What is your incident management plan?
The answers to these questions are essential for any effective cyber security plan, yet they are not the only building blocks for strong cyber defence. During the speech, Martin called on technologists to suggest additional questions business leaders should be able to answer, and we are happy to oblige.
Based on our experiences protecting the world’s largest and most complicated networks, Tanium believes every organisation needs to be able to answer these three critical questions:
How many computers do I have?
Whenever we speak to C-suite executives at large organisations, we always begin with the simplest IT question imaginable. Yet, only a tiny minority of the executives we speak with have been able to answer this question definitively.
The default response is to give a range: “I have between 200,000 and 400,000 endpoints.”
This is where the security problem begins for most companies. If you don’t have visibility of your entire network environment, you won’t know what needs protecting or where your vulnerabilities lie. Businesses need to ditch the legacy tools that can’t even tell them how many assets are on their network.
How many of them have up-to-date patches?
The overwhelming majority of cyber attacks are successful by exploiting a simple weakness.
More often than not, these weaknesses are fixed by patches released by software developers. Yet, organisations with large networks don’t know how many of their endpoints are patched and up-to-date. For example, the WannaCry ransomware, which crippled parts of the NHS earlier this year, leveraged a known vulnerability.
If the affected computers had been kept up-to-date, A&E departments wouldn’t have been closed and thousands of surgeries would not have been cancelled. Businesses need to overcome the culture of fear that prevents changes to their network, and invest in tools to enable widespread and efficient patch management.
Who is responsible for cyber security?
We’re not talking about the technicians and IT staff who manage the network on a day-to-day basis. This is about identifying a senior leader who takes overall responsibility for the organisation’s network security.
As Martin said in his speech:
Given people are aware of cyber security and the threat, and there is money to invest, why aren’t those simple defences being improved to the extent they need to be?
This can be explained by a lack of accountability at the top. When no organisational leader feels like cyber security is their responsibility, it’s only natural nobody takes ownership.
Having a named person at board level will reduce the accountability gap at the top of business – and drive up security standards in the process.
There is no silver bullet to protect us against every cyber risk. But to reduce the threat, businesses needs to get to grips with the basics.
An effective cyber security plan is built on a foundation of simple information: how many devices do I have, how many of them are up-to-date, and who is responsible for for keeping us secure?
Only once these pieces of information are known can an organisation seriously begin to defend itself and take advantage of the opportunities of the future.