CIR BC Strategies: Defence Lines
Preventive measures are proactive actions taken by an organization to mitigate cyber security attacks from occurring to them.
Cyber security attacks are unpredictable, and with technological advancements, a cyber security attack may be very sophisticated, so sophisticated that an organization under attack cannot recover and fold. Hence, more organizations are starting to establish defensive measures.
However, it is challenging for an organization to maintain preventive measures in the overall cyber security program due to certain limitations:
- The management (IAAPA, 2016) does not allocate a sufficient budget for the establishment of cyber security measures, obtaining the workforce within the organization or entrusting the responsibility to a reliable vendor; and
- Difficulty retaining talented employees within an organization due to lack of satisfactory treatment.
Here are some ways (Rodriguez, 2017) to solve the issue:
- Identify the proactive measures for cyber security and provide direction for the specification of cost
- Secure budget for training of employees from different departments (not just IT)
- Justify that the proactive measures to be implemented are worth the expenditure to the management and obtain approval for budget
- Acquire assistance from professional vendors should there be a lack of workforce within the organization
- Provide directions to the HR department to develop human resources for cyber security and a roadmap for the employees
1. First line of Defence
Operational managers that own and manage risks and controls and implement corrective actions to address process and control deficiencies make up the first line of (IPPF, 2016) defence. Within an organization, there can be several of these operational managers that are established with cyber security in mind:
1.1 Chief Technology Officer (CTO)
This personnel is responsible for providing knowledge and direction concerning technologies available to drive the organisation’s mission, protecting the organisation’s intellectual property and ensuring the organisation is prepared for the subsequent phases of technological development.
1.2 CISO/ CSO
The Chief Information Security Officer (CISO)/ Chief Security Officer (CSO)is responsible for the IT security aspect of an organization. They lead in deploying cyber security strategies, policies, and procedures with input from identifying cyber security threats to ensure that the organisation's assets are protected.
1.3 Chief Information Officer (CIO)
This personnel is responsible for developing the cyber security program for the organisation.
A competitive advantage over opposing organisations can be established when the organisation goes through a strategic change by developing cyber security policies and implementing an entity-wide cyber security training program. These positions work in tandem with executive management to tackle cyber security.
They are responsible for designing and implementing appropriate controls to secure their technologies and data. This can be integrated with the overall risk assessment process within the organization. Suppose an organization does not have the workforce to fill the above positions. In that case, the simple approach is assembling a team of managers from different departments (HR, IT, legal, etc.) to respond to cyber security risks.
Usually, an organisation's legal department takes on both its normal and cyber security duties. However, with the advancement of cyber criminals promoting the legal landscape to change regularly, it is more advisable to hire an in-house attorney dedicated to handling the cyber security aspect. Relevant parties, such as the IT department, can work with the attorney to handle cyber security.
The in-house or external attorney should have specific roles and responsibilities concerning the organization’s crisis communication procedures. They have to engage the regulators or prosecutors as they will try to find out the organisation's situation under cyber security attack. The communication channels must be established during the early phases of the incident. This assures the regulators and shows that the organization is under control. If the regulators do not receive information, they roughly will think that the organization is struggling.
1.4 Common Controls
As the main objective of cyber security attacks is to steal organizational information or stop business operations, an organisation's technological infrastructures (data centres and networks) are usually targeted. Organizational information can be stored internally, externally, or both.
Organizations will rely on secure configurations, firewalls, and access controls if the data is stored internally. However, specific attacks are specifically targeted and crafted. The existing measures an organization may have will not be able to withstand the attack, allowing the cyber security criminal to have unauthorized access and perform illegal transactions. The organization has to take preventive measures at the network's perimeter through detective controls (monitoring), restricting access, and blocking unauthorized traffic to reduce cyber security risks.
From the active monitoring of the traffic occurring within the organization, a whitelist of good traffic and a blacklist of blocked traffic can be drawn up. Since network traffic is dynamic, these lists must be frequently updated to stay relevant. Should unauthorized access be gained by the attacker, the next step they would take is to obtain administrative privileges, which allow them entry to sensitive information and ways to cover their tracks.
If the data is stored externally, the organization has to make sure that the vendor is doing its job in managing relevant risks. This can be written in black and white when the contracts between the organization and the vendor are discussed. These areas should be written in the contracts: Service Organisation Control (SOC) reports requirement, the organization has the right to audit clauses, service level agreements (SLA), and/or cyber security examination engagements.
Once these have been negotiated and executed, the vendor has to be monitored to ensure that SLA is conformed to the established key metrics. Suppose any of the contract's requirements have not been met. In that case, the organization has the right to audit the clause, request timely resolution of concerns, enforce penalties, or decide to transition to an alternative vendor if required.
1.5 Start Training Employees and Have a Plan
With organizations picking up technological preventive measures to mitigate cyber security attacks, cybercriminals have begun shifting away from attacking an organisation's technological infrastructures and the psychological aspect of the employees within the organization. This is called social engineering, where the cyber security criminal impersonates a legitimate organization or person through crafting emails or calling to trick victims into sharing organizational/personal information, clicking links routing to fraudulent websites or performing actions that install malware onto their systems. This is closely related to human error.
Human error is a common vulnerability cybercriminals can take advantage of for their attack on an organization. Therefore, the employees must be educated to mitigate the security issues plaguing their organisation. It is crucial to work and educate the different departments on the risks they face and what actions to take. Some areas for employees are to look out for suspicious or unusual emails, unprecedented requests, phone calls, or system activity. Employees can easily recognize fictitious communications or activities and report them immediately for research, escalation, and resolution through continuous training. Cybersecurity incidents affecting peers in the industry can be leveraged for training, awareness, and adopting additional preventive measures.
2. Second Line of Defence
The second line of defence (IPPF, 2016) comprises IT risk management and compliance functions. This personnel are responsible for the following:
- Identify and evaluate the risks and exposures related to cyber security that their organisation may experience;
- Determine if they are within or outside of the organisation’s risk appetite;
- Have a clear understanding of the current cyber security threat landscape;
- Aware of changes to laws and regulations;
- Work in tandem with first-line to ensure appropriate design of controls;
- Design policies/standards; set clear expectations/guidelines;
- Work with first and third lines of defence: create awareness among the management or government agencies and ensure cyber security risks and controls are reported and up to date; and
- Identify key risk indicators.
A timely response is necessary for cyber security risks as they are more dynamic than traditional risks. As the threat landscape evolves, an organisation's second line of defence drives governance and oversight to adequately prepare and respond to emerging threats.
If an organisation chooses to engage third-party vendors for their cyber security services, the relationship between the organisation and vendor has to be kept in check as the vendor has access to sensitive and classified organisational information.
The organisation must set out appropriate conditions to be documented in the contract to check if the vendor has complied with agreements and has appropriate controls.
3. Third Line of Defence
The personnel that forms the third line of defence (IPPF, 2016) is in charge of internal auditing to assess if the organisation’s information technology governance supports the organisation’s strategies and objectives. They work with the second line of defence to govern the cyber security function of an organisation. Some of their activities include:
- Work on the relationship between cyber security and organisational risk;
- Prioritize response and control activities during a cyber security incident;
- Assess current cyber security risk mitigation across all departments of the organisation;
- Coordinate with cyber security risk management personnel to raise awareness across the organisation; and
- Ensure that resources required for preventive and responsive measures are included in the organisation’s business continuity/disaster recovery plans.
As per their primary function, as stated above, the adequacy of the work done by the second line of work (frameworks, standards, risk assessments and governance) is reviewed.
Current controls identified and new measures suggested are also assessed by this person. This is because of the complexity of cyber security within the organisation. General control measures are a good baseline to follow. However, they are not a complete solution to mitigate cyber security risks.
Multiple control layers must be implemented on top of the general measures. An organisation requires proactivity and innovative assurance strategies to keep up with the pace of cyber security risk. The auditing process has to be continuous to ensure changes to security configurations are reviewed, evaluate new risks, and assess response times and remediation activities.
5. Conclusion
These are the various prevention, mitigation, response or recovery strategies that organisations can adopt to manage cyber security incidents effectively to minimise downtime of their CBFs.
Although many strategies are listed, not all are relevant to the organisations. The strategies the organisation chooses to adopt depend on the information gathered from the Risk Analysis and Review Business Impact Analysis phases. The information collected from these processes is unique to each organisation.
Hence, the strategies the organisation chooses to adopt must be tailored accordingly. Blindly adopting the strategies will harm an organisation as it generates more vulnerabilities for cybercriminals to exploit. Therefore, fine-tune the adopted strategies to fit the organisation's profile to improve the overall ability to manage cyber security incidents.
Component of Prevention/ Mitigation CIR BC Strategies
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 7 Developing Mitigation and Response Strategies 7.27 Defence Lines
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.