Is the most important question “How secure are we?” or is it really “Are we managing our security risk to an acceptable level?”
If you accept that now 9 out of 10 companies suffer some kind of security breach as the “2015 Information Security Breaches” survey showed (commissioned by The Department for Business, Innovation and Skills (BIS)), you then have to accept that your security breech will be ‘when’ not ‘if’.
It follows then that you will need to understand what the impact of security-related incidents will have on your business, and manage that within an acceptable security risk level. That is to say, does your total annual investment in security-related initiatives added together with the total annual business costs due to security-related incidents add up to less than the threshold for risk that the organization’s business decision-makers are willing to accept?
Quantifying this threshold for security risk will vary from one organization to another, but as these incidents are now a near certainty, businesses should ensure they are managing the risk accordingly.
To identify what impact security related incidents could have on your business is not easy, because you don’t know what you don’t know, which is why red teaming is on the rise. It is a form of real world testing upon accurate simulations of the kind of targeted attacks organisations face every day. Only by using such a methodology are you going to deliver the real business impact of a breach, and only by understanding that impact will your security posture improve.
Red teaming is not a security audit or penetration test, it is conducted over an extended time period with highly skilled professionals and combines many layers of attack methodology to find security holes. It also determines exactly how your organisation is equipped to deal with them in the real world.
Once you know your businesses security risk you are in a much stronger position to respond effectively to specific security threats, vulnerabilities and exploits as they come and go over time. You will need to:
- Understand what systems and applications are in the business and their role;
- Keep the systems, applications and networks securely configured, patched and up to date;
- Maintain visibility into what’s happening in the network and be in a position to respond quickly when something goes wrong.
The pre-emptive solution is to have a strong incident response plan in place. This should detail how each incident should be categorised and prioritised, and list the steps to be taken in order to investigate, report and re-mediate. Following clear guidelines will reduce the likelihood of being influenced by an external factor such as claims from a malicious third party.
Crucially the plan should include a communications strategy for when an incident occurs, detailing the chain of people who need to be informed. The plan should be regularly reviewed to ensure that it stays up-to-date with changes in the business.