4 minute read
Rationalising your cyber estate
Relying on cyber insurance? ISO 27001 certifi ed? You need to read this to avoid accidentally breaching your contract. By Scott Nursten, CEO, ITHQ
You are ISO 27001 compliant. You have documented proof. But if your insurers asked you whether the critical controls you have in place were compliant and matched your processes, what would you say?
We conduct assessments for businesses all the time that reveal, despite their ISO 27001 status, they are not actually compliant ‘on the ground.’ These same businesses often have a huge cybersecurity tech stack in place, made up of multiple expensive tools doing the same or similar jobs.
This is like throwing three trap nets over your business and lining up the holes. You will have three tools protecting you from the same 70% of threats, crucially all missing the same 30%. At worst, these tools can impact each other negatively, giving you less protection for three times the cost.
In the event of a serious, expensive breach, non-compliance and poor cyber resilience management can then also nullify your cyber insurance policy. Here’s how you avoid that nightmare scenario.
WHEN LAYERS OF SECURITY WORK, AND WHEN THEY DON’T
It’s all about having the right tools in the right place. The mistake many businesses make is layering tool upon tool, believing more is better.
Let’s take email fi ltering. It’s a hot topic. I know clients using Exchange Online Protection - the Office 365 email fi ltering, plus something like Mimecast, plus the mail fi ltering on their connected device. While this represents more layers of security, the layers are all doing the same job. You’re also facing potential admin issues and disparate security profi les to deal with.
Multiple tools can offer great security if they all do something different. It makes sense to have dedicated tools for antiphishing, anti-spam and outbound email monitoring to check for insider threats. This protects both inbound and outbound data, prevents the spread of viruses both ways and helps stop your staff from inadvertently sharing / leaking critical or sensitive data: covering several critical controls rather than one.
WHY BUSINESSES HAVE MULTIPLE NETS WITH LINED UP HOLES
New security tools often arrive in an organisation as a reaction to a breach, because a new manager joins the organisation with a preferred tool in mind, or because they are tied to an existing long-term contract that prevents them from getting rid of the existing tool.
The fi rst two points can be addressed with objective research prior to purchase. Liking a tool does not automatically mean it is the right tool for a specifi c job. And reactive spending – or Random Acts of Tactical Kindness, as we like to call them – rarely deliver longterm results. These are Band Aids, usually bought in panic. They are not strategic purchases, they are reactive backwards looking impulse buys, rather than a planned defence against future threats.
The third reason is easily prevented: don’t sign long-term contracts! Many vendors and IT service providers want to tie you into multi-year contracts but unless there are tangible benefits to you, this is generally a bad idea. Three to four years in technology is a lifetime. Balance any discount benefits very carefully with whether you really believe your partner will offer cutting edge service in exchange for your long-term commitment to their solution.
HOW TO RATIONALISE YOUR CYBER ESTATE
Start with the big picture rather than pulling into detail. People say, ‘what’s the biggest threat today? It’s ransomware. Great. Let’s get an EDR.’ While this solves one problem, it doesn’t consider how to prepare your business for the threats of tomorrow.
Take a holistic view of your security landscape. There are 18 controls to cover, and within each of those you must consider the attack lifecycle. This means understanding what you need to stop attacks from happening, ensure you can detect attacks when they’ve happened, remediate and move on.
COMPLIANCE IS YOUR RESPONSIBILITY
GETTING THE RIGHT TOOLS FOR THE JOB
Get an expert in and you’re a week away from answers that could reduce your tech spend, improve your security posture, ensure you are compliant and safeguard your cyber insurance policy.
Our assessments for the average-sized UK SME take around a week. Larger, global businesses can take anything up to a few months to properly assess. We start with a team discussion. All controls believed to be in place are listed and we request evidence. Most of the time, the team is very transparent, admit they have no controls in place and the exercise is swiftly concluded. This allows us to move quickly onto solution planning. Insurers and the government are pushing businesses to be accountable for ensuring they are cyber secure. Insurers are no longer asking to see proof of ISO 27001; they are asking directly to see proof that the specifi c critical controls are covered.
Any businesses seeking new cyber insurance will experience this question up front, with insurers refusing to insure businesses before they take risk mitigation seriously. Time to stop tech that plugs yesterday’s holes and start planning real defence against the threats of tomorrow.
For more information, feel free to get in touch with me at transform@ithq.pro www.ithq.pro
That Are Just Right
