Practical Cyber Security Basics for Leaders

As details of two significant cyber attacks on major UK retailers continue to emerge and CISA issue a warning of a vulnerability in SharePoint threatening organizations globally, cyber security has been top-of-mind in conversations recently.

The threats and the consequences are getting worse.

In this article I provide some starting points for organizations who want to improve their posture towards these risks, whether you are getting started or want to check how your existing strategy is working. I'll try to cover small, medium and large enterprises.

If you are a large organization you probably already have someone responsible for this, and I'll talk about how you must support them and how you can assess how things are working.

If you are a medium-sized or smaller enterprise you may not have anyone on point for cyber security. I will provide starting points and a path forward.

The democratization of technology continues to transform the lives of most people on the planet. We communicate globally with an ease that would have been seen as witchcraft not so long ago. Children carry much of humankind's accumulated knowledge in their pockets. Innovators with an idea can go live with a functioning offering in hours as the means of (digital) production have become almost free.

But...

• The same technology also allows bad actors to innovate and scale their activities more easily
• As digital ways of working thread through so much of our lives we become more vulnerable to disruption

What is Cyber Security? Should I care if I am not in IT?

Cyber security is about culture as much as technology.

Cyber security is the means by which people and organizations can reduce the risk of becoming victims of cyber attack. Relatedly, cyber resilience is about what happens when, inevitably, you are attacked. How do you detect it, how do you contain the effects and recover from them?

We might see the term cyber resilience grow in use as it helps us to think beyond the technology into the efforts we can take to radically reduce the effect of a cyber attack.

It can be tempting for leaders to see cyber security as a technical problem - something that IT should just take care of while you concentrate on the business. But cyber security is a C-Suite and board-level business issue as:

• A cyber attack can be an existential threat to the organization
• An attack can result in material financial loss
• A successful attack brings with it reputational harm
• Large regulatory fines may ensue for non-compliance with best practice
• Many successful attacks involve a people element that goes beyond the technology and into culture
• Prevention and mitigation of attacks involves organizational actions well beyond IT

Effective cyber governance, like financial oversight, requires strong leadership and proactive engagement at Board level.

What is under attack, by whom and why?

Any organization relying on digital technology is at risk of a cyber incident. Which, these days, means any organization.

Percentage of organizations that have identified breaches or attacks in the last 12 months
Source: UK Cyber Breaches Survey 2024

The majority of attacks today are not targeted, so even small or benevolent organizations can be caught up in widespread incidents such as WannaCry in 2017. That is not to say there are not also targeted attacks!

Countries affected by WannaCry worm in 2017
Image by TheAwesomeHwyh, original PNG version by User:Roke - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=75622633

Digital technology does not have to be a "computer"

For example, most retailers will have an Electronic Point of Sale (EPOS) system for payments. Recently, I heard about the example of an established bakery business that was driven into insolvency by an attack.

Reportedly, the bakery's EPOS system was rendered unusable by exploitation of an unpatched vulnerability in a remote access feature. The person responsible demanded a ransom of £20,000 to return the system to operation. There was no continuity plan. The business could not take payments. In the time it took to understand what was happening and set up another system the small business ran out of financial runway and was forced to close.

A contactless payment reader linked to an EPOS system

Who does this and why?

Who is behind the attacks we read about in the news, or may have experienced personally?

• Organized criminals seeking a large return through ransom payments or selling on sensitive data
• Opportunistic individuals seeing what they can do
• Nation states and their proxies engaging in overt, covert and sub-threshold warfare and commercial espionage
• Activists seeking to disrupt or bring negative publicity to an organization
• Terrorists seeking to promote a political or ideological viewpoint
• Insiders working for someone else, or disgruntled employees
• Competitors... ?

As a business leader, what should I do?

If you already have implemented a cyber security framework then you should assess how it is working and consider any improvements you need to make following that assessment. (Skip to board advice section)

If you have not implemented a cyber strategy then you should define and implement one at the level that is suitable for your organization. Excellent guidance is available from national cyber security agencies to assess and improve your cyber resilience. See below for the key starting points.

Large businesses are more likely to need to asses the performance of the existing strategy. Medium and small businesses, together with Charities and NGOs are more likely to need to implement a strategy in the first place.

I am in the UK - what should I do?

The National Cyber Security Centre, part of GCHQ, helps to protect businesses, the public sector and individuals. The NCSC provides trusted frameworks you should follow.

Go to https://www.ncsc.gov.uk/ and select the type of organization you represent to see the right advice.

There are a number of different schemes/frameworks, aimed at increasing levels of robustness, which can be confusing.

In general, you start at the lowest relevant level and work upwards as needed, as this will give you the most immediate protection by covering the basics quickly. Depending on the nature and scale of your business you may want to or need to implement the higher levels.

At the lower levels the frameworks contain advice on what to do as well as general descriptions of what good practice looks like. At the higher levels the frameworks tend to focus more on being a standard for good practice to assess an organization.

UK National Schemes

Cyber Aware - the most foundational advice, aimed at small to medium businesses but applicable to all, including individuals. If you do nothing else, do this.

Cyber Essentials - the "Couch to 5K" of cyber security. Basic, and useful, Cyber Essentials is the first level of certification for an organization. Self-assessed and reviewed by an external expert.

Cyber Essentials Plus - the same level of assessment, but performed by an expert third party for greater assurance

10 Steps to Cyber Security - Aimed at medium to large organizations, where someone is responsible for cyber security. Practical advice about what to do and also how to make it stick in the organization. It bridges between Cyber Essentials and the Cyber Assessment Framework

Cyber Assessment Framework - Primarily developed for the public sector and critical national infrastructure, but can be used by any organization. It's the top-level framework from the NCSC.

ISO/IEC 27001 series - as international standards the ISO series is also applicable in the UK. See below in the global section

I am in the US - what should I do?

America's cyber defense agency is the Cybersecurity & Infrastructure Security Agency (CISA). There are a range of resources on the national CISA website and there are also regional CISA offices to support you.

CISA Cyber Essentials: A practical starting point is the CISA Cyber Essentials content. It focuses on actionable steps and is especially suited to resource-constrained organizations. Within the Cyber Essentials are:

• The Cyber Essentials Starter Kit, the basics for building a culture of cyber readiness.
• The Cyber Essentials Toolkits, a deeper set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work towards full implementation of each Cyber Essential.

NIST Cybersecurity Framework: The most comprehensive, strategic framework is the NIST Cybersecurity Framework (NIST CSF). The NIST CSF is designed for all sectors and organization sizes. It is roughly comparable to the UK CAF in intent.

Practical Implementations: The Center for Internet Security (CIS) Controls are also widely used in the US and beyond. They are a prescriptive, prioritized and simplified set of best practices that complement the NIST CSF.

I am in the EU - what should I do?

For the EU the relevant agency is the European Union Agency for Cybersecurity (ENISA)

The key framework is NIS2 - the Networks and Information Systems Directive. It has been brought into law in member states and is mapped to not only the ISO 27000-series standards but to prevailing national standards in the EU.

Member states will tend to have a national agency which works with the EU on harmonizing the approach across the EU.

For example, the French national agency, la Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), provide information about the recommended approach to Digital Risk Management at https://cyber.gouv.fr/en/digital-risk-management

Engage your national agency, or, if you don't have one see below.

Elsewhere, and globally

The ISO/IEC 27001 standard lays out what good looks like for cyber security across people, tools and processes.

In fact, the national frameworks tend to map back to the ISO 27000 series standards.

Use ISO 27001 or re-use one of the national "essentials" frameworks you like. They tend to cover a lot of the same ground and you will hugely increase your resilience if you are starting from the beginning.

Summary: What to do

• Small to medium organizations: If you don't have a cyber security plan, then start one by engaging your national agency's essentials program
• Large organizations, or those who have already have a implemented a plan: Assess how it is working in practice with board discussions and testing exercises. This is a leadership activity, not an IT activity
  • In the UK read Cyber Governance for Boards for how to do this. This is advice from NCSC for leaders
  • In the US read Shields Up: Guidance for Corporate Leaders and CEOs for how to do this. This is advice from CISA for leaders

• As national (and international) governments see cyber security as a priority, then the available resources are superb. However, you do need to appoint someone in your the organization to work through those frameworks and embed them in your organization

• You can appoint one of your existing team to do this, but do make sure they realistically have enough time to do it, during the initial period and beyond. This is not  a one-and-done exercise as the bad actors are persistent and motivated. Regular practice is needed to keep cyber security practices embedded
• Alternatively, you can bring in external help from a cyber security specialist or other experienced enterprise IT professional, perhaps on a fractional basis. 
  • The US agency, CISA, helpfully describe the activities of this person:
  • Select and support a “Security Program Manager.” This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cyber security program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.

Please connect with me for a no-obligation conversation if you need help.

And be cyber-safe out there!
Gareth

LinkedIn
fieldenablement.com