Top Tips for Moving from Compliance to Cybersecurity Excellence

Compliance should be an essential part of business operations, regardless of industry. Taking preventative measures to manage compliance and mitigate risk can feel like a hassle upfront, but it can save your organisation huge costs in the long run. Compliance violations can result in fines, penalties, lawsuits, loss of reputation, and more. However, your efforts should not stop at obtaining a compliance certificate, rather they should expand to accelerate your cybersecurity posture.

Compliance frameworks to pay attention to

If you are operating in the UK, getting the Cyber Essentials accreditation is a great way to reassure your customers that you are taking all required precautions to secure your IT and their data against cyber-attacks. In addition, the certification allows you to attract new business opportunities since you are demonstrating a sound cybersecurity posture that builds on your brand name and trust. Finally, some UK government contracts even require that contractors obtain the Cyber Essentials certification.

Further, the ISO 27001 standard is designed to function as a framework for an organisation’s information security management system (ISMS). The goal of ISO 27001 is to provide a framework of standards for how a modern organisation should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where its strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organisation that can be trusted with data.

Simultaneously, organisations don’t want to get saddled with non-compliance penalties from regulators. These can be high depending on the standard set or framework with which they’re non-compliant. For example, non-compliance with European Union’s General Data Protection Regulation (GDPR) could incur a fine of 10 million Euros or 2% of global turnover (whichever is greater) for offences relating to child consent and transparency of communication, among other issues. That amount jumps to 20 million Euros or 4% of global turnover (whichever is greater) for slipups involving responsibilities like data processing, data subject rights, and transferring data to a third party.

Investing only in compliance opens the door to attacks

The common denominator behind all compliance regulations and standards is that organisations should practice basic cyber hygiene measures. In many cases, this comes down to truly basic elements that are too often overlooked. And here lies the real problem.

Many organisations consider compliance as a checklist exercise and fail to look further to realise that meeting and maintaining regulatory adherence is only a first step towards a strong cybersecurity posture. Hence, organisations are eager to fund compliance projects to avoid paying the fines and forget to further invest in building infrastructure, establishing processes, and empowering people to become resilient against advanced cyber-attacks.

As a result, they remain vulnerable even to known attack vectors. Take for example authentication and access management. Many organisations deploy multifactor authentication only to protect privileged accounts or cloud-based apps. Criminals are aware of this wide-open door, and they successfully target other employees and services to gain access to corporate networks.

Although compliance is important, a strong cybersecurity posture is critical. “Within organisations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations,” underscores the World Economic Forum.

“Policymakers, thus, need to weigh their decisions with this impact in mind. Individual regulations may have similar intent, but multiple policies add complexity for businesses that need to comply with all regulations, and this complexity introduces its challenges to cybersecurity and data protection, not always improving them. Policies must be creative in increasing protection while decreasing regulatory complexity,” WEF concludes.

Securing budget for cybersecurity projects

It all comes down to changing mindset about cybersecurity. “You have to change the conversation and make it about adding value. The challenge is that cybersecurity is often seen as a cost centre or something that slows down innovation or business processes. But if we can change the narrative, then securing the budget won’t be such a challenge,” says Garry Hibberd, Professor of Communicating Cyber.

Changing narrative means talking the language that executives understand – money, cost savings, profit, return on investment. “Focusing on the people around the Boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The CFO typically wants to save money, so show how spending on cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use cybersecurity as a business differentiator and a competitive advantage,” explains Hibberd.

Securing budgets for cybersecurity projects is more than just talking about risk. It is about having (and developing) communication skills – being able to align cybersecurity benefits to business goals. “We must become better communicators of the benefits of what we do,” he concludes.

Six tips for cybersecurity excellence

The best way forward for organisations is to move to a stronger cybersecurity position and then use this foundation to meet their cybersecurity goals as well as their compliance obligations. They can do this by following these recommendations:

  • Think cybersecurity first. This will help as compliance standards only get tighter. If you have a cybersecurity start point, you can cover much of the evolution of the tightening of regulations.
  • Change your mindset from reactive to proactive. Budget must be found if there is a cybersecurity issue such as a breach. Whatever this price tag ends up being, it will be several times more than if organisations had initially invested in preventing an incident from occurring in the first place. With that in mind, getting stakeholders to think about cybersecurity proactively is critical. This can be done by talking about cybersecurity issues in terms of business risk, keeping cybersecurity as a continuous topic, etc.
  • Use your compliance data to bolster security. If you are collecting data to be compliant, don’t just sit on it. Use it to help your cybersecurity efforts. It will be a relatively small add on of resources ultimately.
  • Encourage cybersecurity training and awareness. Getting the right mindset in staff will reduce the chances of issues arising in the first place. Plus, you have many sets of eyes on the potential risks rather than just those with cybersecurity in their job titles.
  • Develop a disaster plan. Engaging with your stakeholders in creating a disaster plan will help them become more aware of the risks and costs of incidents such as data breaches. It will also encourage them to consider what the organisation can do proactively to prevent these types of events from happening.
  • Realise that you don’t need to go it alone. You can use trusted security tools to monitor the risk landscape as it relates to your organisation. If you lack the internal expertise necessary for using these security tools, you can outsource your program.

Want to learn more? Download our whitepaper to explore the gap between cybersecurity and compliance and read about how others in the industry are overcoming some of these challenges.

Cybersecurity and Drones: How to Address the Security Threats

The Unmanned Aerial Systems (UAS) industry has become a massive technological playground worldwide. Their extensive applications make UAS very popular for the public and the private sector. Armed forces, agricultural industry, law enforcement, meteorological agencies, medical services, environmental companies, and oil refineries are but a few out of the excessive list of UAS users. UAS manufacturers spend a significant amount of money to research and develop high-tech and smart systems from aircraft-size military UAS to hand-size mini drones.

The use in almost every aspect of human activity adds value to the need of UAS evolution, but it also increases security risks. Imagine what can happen when smart and cheap drones that anyone can easily purchase from a local hobby store become weapons at the hands of adversaries and cyber criminals.

From that perspective, are drones a major threat when it comes to cybersecurity? And if so, what measures should be taken to counter them?

Drones Evolve

When we talk about drones, we need to consider two factors:

  • Not only do they consist of the airborne platform, but they also include the control station that’s necessary for safe and efficient operation communication links.
  • They have become numerous, cheaper, and more complex.

Taking the above into consideration, it is obvious that drones are a serious risk for flight safety and security. We have discussed in a previous blog the threat that drones pose to flight safety. To minimize the risk, software applications have been developed to manage and organize drone flight traffic. Besides a major flight safety concern, drones can become a serious cybersecurity threat.

The Cybersecurity Threat of Drones

Apart from airworthiness and flight safety issues, drones affect the cyber domain and the security of data. Forbes points out that the malicious use of these platforms in the cyber domain is an inevitable fact, and it can no longer be pushed aside. Last Christmas, we witnessed U.S. government posing export restrictions to one of the largest drone manufacturers in order to protect national security and foreign policy interests.

Since drones are remotely controlled, they can be hijacked by bad actors. The Department of Homeland Security (DHS) stated, “Given their rapid technology advancement and proliferation, the public safety and homeland security communities must address the fact that drones can be used nefariously or maliciously to hurt people, disrupt activities, and damage infrastructure.” Major cyber domain threats caused by drone activity are:

  • GPS spoofing. A way to take control of a drone. Attackers feed drones with false GPS coordinates and take full control of the platform. Security researchers have demonstrated how a hijacked drone can be used to hijack other drones, ending in a drone swarm under the control of cyber criminals. It is easy to realize that in such a case, the threat potential increases drastically and can be compared to the way botnets perform DDoS attacks, taking over a significant amount of systems and Internet of Things (IoT) devices.
  • Downlink intercept. Allows a criminal accessing all transmitted data between the drone and the controller. Since the majority of commercial drones systems interact with their base using unencrypted communication channels, they can become vulnerable to exploitation by a cyber criminal who can intercept and have access to sensitive data drone exchanges with the base such as pictures, videos, and flight paths.
  • Data exploitation. Critical infrastructure is protected in the terms of digital and physical security. The use of drones can overcome physical security limitations and cybersecurity protections, for a mini computer mounted on a small drone can approach undetected sensitive areas and carry out nefarious operations, mimic a Wi-Fi network to steal data, hijack Bluetooth peripherals, perform keylogging operations to steal sensitive passwords, as well as compromise access points, unsecured networks, and devices,

How to Mitigate the Threat

To mitigate the cybersecurity risks posed by the drones, we need to consider the following:

  • How to secure the platform and the data exchanged
  • How to counter drone platforms

Securing Drones

When it comes to drone cybersecurity, it is wise to be proactive. That’s why you have to consider securing your platform as you would do with any network device. Kaspersky proposes some useful tips:

  • Update the drone’s firmware and apply a manufacturer’s patches.
  • Use strong passwords for the base station application.
  • Use updated anti-virus software for your drone controller device.
  • Subscribe to a VPN service to encrypt your connection.
  • Limit the number of devices that can connect to the base station.
  • Use the “Return to Home” (RTH) mode to ensure drone recovery from a hijack situation.

Counter Drones

Drones fall under the remit of the Federal Aviation Administration (FAA) as UAS. That means that you cannot take them down or jam their communication. This kind of countermeasures apply only to the military sector where different operational procedures are enforced when an unknown drone enters the perimeter of a military base.

Countermeasures should focus primarily on space protection. It is vital to be able to efficiently detect drones. High frequency radars, thermal cameras, RF scanners, acoustic sensors, and sophisticated machine learning and AI algorithms are used for this purpose. However, drones’ small size and low speed makes their detection difficult within a highly cluttered environment.

Other techniques involve geofencing software, which creates a virtual border around an area, prohibiting unauthorized drone flight. Finally, the military sector makes use of counter drone systems called “effectors.”

The Future

Drones will continue to evolve; in the near future, they will dominate various commercial and public sector areas such as deliveries, crops and livestock monitoring, border control, defense, surveillance, mapping, and security services. As so, it’s vital to secure them properly to reap the benefits of their use and to prevent becoming adversarial weapons in the hands of opportunistic state cyber threat actors.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Recommendations for Fulfilling the Potentials of Cyber Insurance

Cyber insurance has great potentials in improving cybersecurity practices and protecting organizations against the impact of security incidents, but these potentials “have yet to fully materialize.” This is the key highlight of a recent report developed by the Royal United Services Institute for Defence and Security Studies (RUSI) and the University of Kent in the UK. The report provides a comprehensive list of recommendations for both governments and organizations.

Why cyber insurance?

The World Economic Forum has identified cyber-crime along with climate change and pandemics as “one of the most challenging risks facing societies in the next five years.” The advances in criminality ‘business models’ and the increasing sophistication of threat actors have turned cyber-crime into a complex, rapidly growing and severe threat to both government and business. According to the report, in 2020, losses from cyber-crime were estimated at over $945 billion worldwide, while the “average payment for a ransomware attack was reported to have risen from $84,116 in Q4 2019 to $220,298 in Q1 2021.”

Both critical national infrastructure (CNI) and economic security are threatened by ransomware and cyber-crime more generally. Cyber risk management has become an essential and crucial topic for governments and businesses.

This rise in criminality is taking place at a time of rapid changes in the business environment as organizations seek to digitalize, increase connectivity, and accommodate emerging remote working. The growing reliance of businesses and governments on cyber-enabled services and data highlights the need for protection against these threats. With both national infrastructure and economic security at risk, “one tool that has gained traction is cyber insurance.”

As with other types of insurance, cyber insurance is to play a role in reducing economic, environmental, technological, and political risks. Although the primary purpose of insurance is to transfer risk, a by-product is that it can also improve safety and security in some cases.

Cyber insurance can be an important lever for improving cybersecurity. The UK’s Department for Digital, Culture, Media, and Sports (DCMS) has reported that public and private sector organizations face informational, commercial, and technical barriers to effectively manage cyber risk. SMEs are especially underprepared when it comes to cyber risk. For example, a recent industry report found that 64% of surveyed businesses are “novices” when it comes to cyber readiness. The failure of many organizations to implement even the minimum requirements of cybersecurity and cyber hygiene has also been reiterated by the current growth of ransomware attacks, which exploit lax patch management processes and poorly authenticated remote access services.

Benefits of cyber insurance

The report has identified five positive effects of cyber insurance on cybersecurity and risk management.

1. Assessing risk profiles and security practices

By assessing a client’s risk profile, insurers can identify potential risks, poor cyber hygiene, and bad practices via an initial risk assessment. This process may encourage an organization to understand their exposure to risk, implement new controls, or remediate previously identified vulnerabilities.

2. Driving best practices

The cyber insurance industry is well placed to drive best practices, as insurance carriers are financially motivated to reduce claims and losses. This motivation could act as a ‘push factor’ from the insurance industry to raise standards and drive the adoption of best practices by their clients.

3. Linking risk profiles and security practices to financial incentives

The most powerful lever the insurance industry holds is the ability to link an organization’s risk profile or cybersecurity practices to financial incentives such as reduced premiums, better terms, and higher coverage. This should encourage the adoption of best practices by offering a clear financial incentive.

4. Increasing awareness of risk

As evidenced by the authors of the report, cyber insurance assists in raising awareness relating to poor cyber security so that it is seen as a credible threat to business. For example, cyber insurers have the knowledge and the experience to emphasize the potential financial impact of an incident and can help their clients to map strategies and processes to mitigate it.

5. Providing access to services

Many cyber insurers provide services to help organizations prevent breaches or to reduce the impact when they happen. Post-incidents services may help clients to reduce incident costs and get access to services and expertise during crises. Pre-incident services seek to proactively prevent incidents and mitigate risk and include staff training, vulnerability scanning, access to intelligence, and vCISO services.

Challenges of cyber insurance

Despite these benefits, the report notes that “the positive effects of cyber insurance on cybersecurity have yet to fully materialize. While there are some encouraging signs, cyber insurance is still struggling to move from theory into practice when it comes to incentivizing cybersecurity.”

Based on interviews and workshops with experts across the insurance and cybersecurity industries, government, and academia, the report identifies that the cyber insurance sector is ‘still in its infancy,” struggling to understand cyber risk as well as to collect and analyze reliable cyber risk data. Without this level of cyber risk maturity, there are significant questions around the insurability and mitigation of cyber risk. Among all these challenges, ransomware has become an existential threat for some insurers, raising questions and debate about the policies of paying the ransom.

The report identifies many reasons for this situation. First, the positive effects of cyber insurance are not evenly distributed. It appears that some cyber insurers are offering products and services with a better chance at impacting security, reflecting insurers’ varying levels of maturity and expertise. Offerings are also not functioning as well as they might for SMEs and large businesses.

Second, cyber insurance is more effective as a cyber resilience rather than a risk mitigation tool. This is emphasized by the fact that post-breach services are the central cyber insurance service. Although this is not questionable, as the main aim of cyber insurance is arguably to transfer residual risk and act as a last line of defense, it does raise some further concerns. The problem is that cyber insurance has yet to fully demonstrate that it can incentivize the proactive security practices that would make it more useful for managing cyber risk.

What is the way ahead?

At a time when the impact of cyber-attacks is becoming more severe, the report offers several recommendations which can help the cyber insurance industry reposition itself and deliver benefits to all organizations.

In accordance with these recommendations, the cyber insurance industry needs to collaborate more closely with cybersecurity agencies such as UK’s NCSC, NIST, and CISA on data sharing and setting minimum security standards. In addition, insurers need to move towards a more prescriptive risk management approach, whereby buyers are financially incentivized to adopt best practices. With the market undergoing changes amid growing losses, now is also the time for more coordinated action by government and regulators to help the industry reach its full potential as a tool for incentivizing better cybersecurity practices to include timely patching of vulnerabilities, adoption of multi-factor authentication, and network segmentation.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.