Cyber security posture
Venables said the IT department of any organisation is a good place to start to get a basic understanding of its overall cyber security posture.
“The IT department should be able to provide details on controls, ports, services, firewall rules and device configurations – how these things are secured, how that is monitored, and how that could be changed to meet the most likely cyber threats to your organisation,” he said.
IT departments should also be able to provide details about how the network is sub-netted or segmented, said Venables, which can useful in ensuring staff can access only areas appropriate for their roles.
“And if attackers are in your network, segmenting it can slow them down and make it more difficult for them to move around,” he said.
Another important matter for organisations to consider is whether to allow employees access to webmail and unrestricted web browsing from work IT environments, he said.
“Not only is webmail a good way of getting bad stuff in, it is also a good way for attackers or malicious insiders to get stolen data out,” said Venables.
The lack of cyber security talent is a challenge for most organisations, but Venables said they should take the time to find out if they have hidden talent within their workforce.
“You may have all the skills you need without knowing it, like a cyber security enthusiast or hobbyist with real skill and aptitude who may be working in a non-security or even non-IT role,” he said.
Venables advised organisations to identify these people because while they may be of great benefit, they may also be one of the biggest threats because they are able to bypass security controls.
Organisations should also look at contingency plans for when things go wrong, he said, which involves workshopping, looking at possible security incidents and what action should be taken to limit the damage and keep the business running. This should include testing the integrity of data if a compromise is detected or suspected.
“It should be clear at what point you will call for external help, and you should have already approached a company so they are ready to come in when needed to ensure business continuity,” he said. “It is also a good idea to establish a relationship with a cyber forensics company to capture evidence that can be passed on to law enforcement.”
Venables emphasised the importance of testing incident response and recovery procedures to ensure that all plans work in practice and that there is a clear decision-making structure in place.
He also advised organisations to have printed copies of contingency plans so they are accessible if IT systems go down, and to test that data backup and recovery processes are working.
Venables also underlined the importance of carrying out investigations after every incident to understand the threat, which vulnerability was exploited and how any similar attack can be prevented in future.
“Also look at how well your response and recovery procedures worked to see if any improvements are necessary,” he said.
Every organisation should remember that if it has a public-facing IP address, it is never detached from cyber space, said Venables. “You are an integral part of it and you are at risk, which needs to be considered,” he said.