Preventive measures are proactive actions taken by an organization to mitigate cyber security attacks from occurring to them.
However, it is challenging for an organization to maintain preventive measures in the overall cyber security program due to certain limitations:
Here are some ways (Rodriguez, 2017) to solve the issue:
Operational managers that own and manage risks and controls and implement corrective actions to address process and control deficiencies make up the first line of (IPPF, 2016) defence. Within an organization, there can be several of these operational managers that are established with cyber security in mind:
This personnel is responsible for providing knowledge and direction concerning technologies available to drive the organisation’s mission, protecting the organisation’s intellectual property and ensuring the organisation is prepared for the subsequent phases of technological development.
The Chief Information Security Officer (CISO)/ Chief Security Officer (CSO)is responsible for the IT security aspect of an organization. They lead in deploying cyber security strategies, policies, and procedures with input from identifying cyber security threats to ensure that the organisation's assets are protected.
This personnel is responsible for developing the cyber security program for the organisation.
A competitive advantage over opposing organisations can be established when the organisation goes through a strategic change by developing cyber security policies and implementing an entity-wide cyber security training program. These positions work in tandem with executive management to tackle cyber security.
They are responsible for designing and implementing appropriate controls to secure their technologies and data. This can be integrated with the overall risk assessment process within the organization. Suppose an organization does not have the workforce to fill the above positions. In that case, the simple approach is assembling a team of managers from different departments (HR, IT, legal, etc.) to respond to cyber security risks.
Usually, an organisation's legal department takes on both its normal and cyber security duties. However, with the advancement of cyber criminals promoting the legal landscape to change regularly, it is more advisable to hire an in-house attorney dedicated to handling the cyber security aspect. Relevant parties, such as the IT department, can work with the attorney to handle cyber security.
The in-house or external attorney should have specific roles and responsibilities concerning the organization’s crisis communication procedures. They have to engage the regulators or prosecutors as they will try to find out the organisation's situation under cyber security attack. The communication channels must be established during the early phases of the incident. This assures the regulators and shows that the organization is under control. If the regulators do not receive information, they roughly will think that the organization is struggling.
As the main objective of cyber security attacks is to steal organizational information or stop business operations, an organisation's technological infrastructures (data centres and networks) are usually targeted. Organizational information can be stored internally, externally, or both.
Organizations will rely on secure configurations, firewalls, and access controls if the data is stored internally. However, specific attacks are specifically targeted and crafted. The existing measures an organization may have will not be able to withstand the attack, allowing the cyber security criminal to have unauthorized access and perform illegal transactions. The organization has to take preventive measures at the network's perimeter through detective controls (monitoring), restricting access, and blocking unauthorized traffic to reduce cyber security risks.
From the active monitoring of the traffic occurring within the organization, a whitelist of good traffic and a blacklist of blocked traffic can be drawn up. Since network traffic is dynamic, these lists must be frequently updated to stay relevant. Should unauthorized access be gained by the attacker, the next step they would take is to obtain administrative privileges, which allow them entry to sensitive information and ways to cover their tracks.
If the data is stored externally, the organization has to make sure that the vendor is doing its job in managing relevant risks. This can be written in black and white when the contracts between the organization and the vendor are discussed. These areas should be written in the contracts: Service Organisation Control (SOC) reports requirement, the organization has the right to audit clauses, service level agreements (SLA), and/or cyber security examination engagements.
Once these have been negotiated and executed, the vendor has to be monitored to ensure that SLA is conformed to the established key metrics. Suppose any of the contract's requirements have not been met. In that case, the organization has the right to audit the clause, request timely resolution of concerns, enforce penalties, or decide to transition to an alternative vendor if required.
With organizations picking up technological preventive measures to mitigate cyber security attacks, cybercriminals have begun shifting away from attacking an organisation's technological infrastructures and the psychological aspect of the employees within the organization. This is called social engineering, where the cyber security criminal impersonates a legitimate organization or person through crafting emails or calling to trick victims into sharing organizational/personal information, clicking links routing to fraudulent websites or performing actions that install malware onto their systems. This is closely related to human error.
Human error is a common vulnerability cybercriminals can take advantage of for their attack on an organization. Therefore, the employees must be educated to mitigate the security issues plaguing their organisation. It is crucial to work and educate the different departments on the risks they face and what actions to take. Some areas for employees are to look out for suspicious or unusual emails, unprecedented requests, phone calls, or system activity. Employees can easily recognize fictitious communications or activities and report them immediately for research, escalation, and resolution through continuous training. Cybersecurity incidents affecting peers in the industry can be leveraged for training, awareness, and adopting additional preventive measures.
The second line of defence (IPPF, 2016) comprises IT risk management and compliance functions. This personnel are responsible for the following:
A timely response is necessary for cyber security risks as they are more dynamic than traditional risks. As the threat landscape evolves, an organisation's second line of defence drives governance and oversight to adequately prepare and respond to emerging threats.
If an organisation chooses to engage third-party vendors for their cyber security services, the relationship between the organisation and vendor has to be kept in check as the vendor has access to sensitive and classified organisational information.
The organisation must set out appropriate conditions to be documented in the contract to check if the vendor has complied with agreements and has appropriate controls.
The personnel that forms the third line of defence (IPPF, 2016) is in charge of internal auditing to assess if the organisation’s information technology governance supports the organisation’s strategies and objectives. They work with the second line of defence to govern the cyber security function of an organisation. Some of their activities include:
As per their primary function, as stated above, the adequacy of the work done by the second line of work (frameworks, standards, risk assessments and governance) is reviewed.
Current controls identified and new measures suggested are also assessed by this person. This is because of the complexity of cyber security within the organisation. General control measures are a good baseline to follow. However, they are not a complete solution to mitigate cyber security risks.
Multiple control layers must be implemented on top of the general measures. An organisation requires proactivity and innovative assurance strategies to keep up with the pace of cyber security risk. The auditing process has to be continuous to ensure changes to security configurations are reviewed, evaluate new risks, and assess response times and remediation activities.
These are the various prevention, mitigation, response or recovery strategies that organisations can adopt to manage cyber security incidents effectively to minimise downtime of their CBFs.
Although many strategies are listed, not all are relevant to the organisations. The strategies the organisation chooses to adopt depend on the information gathered from the Risk Analysis and Review Business Impact Analysis phases. The information collected from these processes is unique to each organisation.
Hence, the strategies the organisation chooses to adopt must be tailored accordingly. Blindly adopting the strategies will harm an organisation as it generates more vulnerabilities for cybercriminals to exploit. Therefore, fine-tune the adopted strategies to fit the organisation's profile to improve the overall ability to manage cyber security incidents.
BACK TO: Mitigation and Response Strategies | CIR BC Strategies for Infrastructure | CIR BC Strategies for People | CIR BC Strategies for Policy |
CIR BC Strategies for Process |
CIR BC Strategies: Respond | CIR BC Strategies: Recover | CIR BC Strategies: Defence Lines |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 7 Developing Mitigation and Response Strategies 7.27 Defence Lines
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.