Good cyber security safeguards your organisation’s ability to function and is central to its health and resilience.
Protecting an organisation against cyber crime is everyone’s responsibility, not just the IT department and senior leadership support is paramount. Since the pandemic, the sharp rise in cyber attacks has demonstrated why there is no room to be complacent. Unfortunately, it’s dangerous to hope some sectors may be safe: local authorities, hospitals and charities have all been the target of costly attacks.
Shockingly, investment in cyber security is slowing, with boards questioning what large cyber security spending has achieved. However, according to a 2021 report by Gartner, boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
The National Cyber Security Centre handled the same number of ransomware incidents in the first four months of 2021 as they did in the whole of 2020. Last year, the Janet Network saw nearly 800 DDoS attacks targeting Jisc members. Thanks to Jisc’s DDoS mitigation service, none of the attacks severely impacted Janet-connected organisations. It does however highlight the scale of the issues we’re all facing.
So, what does good cyber security look like? The simple answer is whatever protects the things you care about. Cyber security must be appropriate to your systems, processes, staff and suitable for the level of risk you are willing to accept. Managing this is a continuous process that does not just fall on the IT department, and there are three overlapping components, summarised below.
Understand the risk
- Establish what is important to you.
- Comprehend what part you play in cyber security and your responsibility.
- Understand your IT estate.
- Recognise your vulnerabilities and what may be of value to an attacker.
- Identify who might target you and how they would do it.
Prioritise those risks
- Good risk management should go beyond just compliance and form part of day-to-day operations. You need to know what you care about the most and who you’re defending it against.
- Integrate cyber security into organisational risk management processes.
Take steps to manage your risks
- Have procedures in place for when things go wrong. Then, rehearse and test them against various scenarios and eventualities and update them if you need to.
- Implement a range of preventative and reactive defences as part of an in-depth defence approach. Attackers only need to find a single vulnerability, whereas defenders need to find and address them all.
- A positive security culture, where people feel confident to raise concerns and challenge ineffective practices, will help build protection that works for your organisation.
- Maintain the integrity of your back-ups; Jisc can help you recover if you have back-ups of your critical systems and data.
- Plan with suppliers, providers or partners to mitigate the risks of supply chain attacks.
For these steps to be effective, you’ll also need to get the environment right
- Embedding cyber security in your organisation is not just ‘good IT’; it must enable an organisation’s digital activity to flourish.
- Board members should lead by example to promote a healthy cyber security culture.
- As the demand for cyber security professionals grows, plan to ensure your organisation can draw upon the expertise you need.
Must-haves as part of a successful cyber maturity model
- Achieve Cyber Essentials for computer systems and users across the organisation.
- Implement multifactor authentication for all critical systems and services.
- Regular mandatory security training and awareness programmes complemented by a range of ongoing formal and informal activities.
- Make use of the Jisc services included in your Janet connection to mitigate the risks of staff accessing malicious and dangerous websites.
- Enforce segregated central logging of critical systems to assist in incident investigations.
- Execute isolated off-site back-ups and regularly test recovery times and procedures.
- Think about investing in cyber insurance and having the right cover.
Here’s how one organisation recovered
Dundee and Angus College was brought to a halt in 2020 by a malicious ransomware attack.
“Nothing had prepared us for the crisis we headed into. With great teamwork, we rebuilt the digital element of our college in just less than five days” says principal, Simon Hewitt.