How to Organise your Cybersecurity Strategy
In the UK government’s April 2024 survey, 1,111 UK organisations reported a cyber attack or data breach in the 12-months preceeding the report. With data breaches reaching record highs, ensuring your business has a comprehensive cybersecurity strategy is more important than ever.
But what does an effective cybersecurity strategy include? A typical strategic framework has six pillars: vision, mission, objectives, strategy, approach, and tactics. In this article, we focus on the five (5) key Approaches that will ensure your cybsecurity strategy is robust and comprehensive. We will also provide examples of Tactics you can implement under each Approach.
Left-Boom vs Right-Boom
There are many types of cyber attacks, but generally, they are all malicious attempts to access, manipulate, or destroy data, systems, or networks. Cybersecurity is the practice of protecting information systems and networks from cyber attacks.
Before diving into the five recommended approaches to included as part of a comprehensive cybersecurity strategy, it is useful to know that all approaches and tactics can be classified into two categories: ‘left-boom’ and ‘right boom’.
Left-boom refers to the proactive and preventative measures taken before a cyber attack occurs. The goal of left-boom approaches are to deter, detect, and disrupt potential threats before they can cause damage or comprise systems.
Right-boom refers to the reactive and responsive measures taken after a cyber attack has occurred. The goal of right-boom approaches are to contain, recover, and remediate the impact of the attack, as well as to learn from the incident and improve the security posture.
Cybersecurity Approaches
1 - Assess
In order to have a clear and comprehensive understanding of your current cyber posture and risk profile, you must conduct regular and thorough assessments of your cyber environment. The “assess” approach allows you to identify the gaps and weaknesses that need to be addressed, as well as the strengths and best practices that can be leveraged.
Another benefit of this approach is that it helps you prioritise your cybersecurity investments and actions based on the potential impact and likelihood of cyber incidents.
Furthermore, this cybersecurity approach enables you to benchmark your cybersecurity performance and maturity against industry standards and best practices, and to measure progress and improvement over time.
2 - Protect
When people think of cybersecurity strategies, this is what typically comes to mind. Protect approaches are preventive and protective measures such as encryption, authentication, and firewalls that are used to prevent or deter cyber threats from compromising data, systems, and assets. They reduce your cyber risk and enhance your cyber resilience.
These types of cybersecurity strategies may be needed to comply with the relevant laws, regulations, and standards that govern cybersecurity obligations and responsibilities. They can be also be used to demonstrate your trustworthiness and reputation to customers, partners, and regulators.
The “protect” approach also supports business continuity and productivity by ensuring that critical data, systems, and assets are always available and accessible, and that operations and services are not disrupted or degraded by cyber incidents.
3 - Detect
The “detect” approach is important because it helps you to identify and respond to cyber threats that may have bypassed your preventive and protective measures, or that may have emerged from within your network or systems. By deploying advanced technologies and tools, such as intrusion detection systems and anomaly detection systems, you can monitor and detect cyber anomalies or incidents that may occur in your network or systems, as well as alert and inform the relevant stakeholders in a timely manner.
These cybersecurity strategies help you measure and improve your cybersecurity performance by providing data and insights on the types, sources, frequency, and impacts of cyber threats that you face. This enables you to benchmark your cybersecurity posture and maturity against industry best practices and standards.
Moreover, the “detect” approach supports our incident response and recovery capabilities by facilitating the analysis and investigation of cyber incidents, and providing evidence and information that can help contain, resolve, and prevent cyber incidents.
4 - Respond
This approach is often overlooked for small-to-medium businesses and enterprises but is of growing importance as prevention and detection techniques are no longer a surety against a cyber breach.
The “respond” approach is important because in the event of a cyber incident, it helps you manage and mitigate the impacts, and minimise the disruption and damage caused to your business and customers. By activating your incident response plan and team, you can contain, analyse, and resolve any cyber incidents that may occur in your network or systems, and communicate and coordinate with the relevant internal and external stakeholders such as senior management, employees, customers, partners, vendors, regulators, law enforcement, and media.
The “respond” approach also helps you learn from your cyber incidents as it details procedures for carrying out post-incident reviews and root cause analyses, and steps for identifying and implementing corrective and improvement actions to prevent or mitigate the recurrence of similar cyber incidents in the future.
5 - Recover
The “recover” approach is important because it helps restore normal business operations and services as quickly and safely as possible, and ensures the continuity of business and customer satisfaction. In the event of a cyber incident, every minute your systems are affected costs you money and impacts your reputation, so a rapid recovery post-incident is imperative.
Recovery from cyber incidents means the resumption of core functions and processes, and repair or replacement of any damaged or compromised assets, such as hardware, software, data, or networks.
Cybersecurity Tactics
Cybersecurity Audits
Cybersecurity audits are an assessment approach that systematically examine your organisation’s cybersecurity policies, processes, controls, and practices. The purpose of cybersecurity audits is to evaluate whether your organisation is following its own policies and standards, complying with relevant laws and regulations, and adhering to industry best practices. Cybersecurity audits can also identify and report on the strengths and weaknesses of your organisation’s cybersecurity posture, risks, gaps, and improvement opportunities.
Cybersecurity audits can be conducted by internal or external auditors, depending on the scope, objectives, and requirements of the audit. Internal auditors are typically employees of the organisation who have expertise in cybersecurity and auditing, and report to the management or the board of directors. External auditors are independent third-parties who are hired by the organisation or mandated by regulators or customers to provide an objective and unbiased assessment of the organisation’s cybersecurity.
VirtueUK are regulary engaged to carryout Security Audits for organisations as part of our various Strategic Consultancy engagements. Clients find these strategic engagements particularly valuable ahead of decisions involving IT Infrastructure Projects or significant investments as it allows them to prioritise initiatives and resources against business objectives and risk assessments.
Vulnerability Assessments and Penetration Testing
Vulnerability assessments are a proactive analysis of an organisation’s cybersecurity vulnerabilities (weaknesses or flaws in its systems, networks, applications, or processes that can be exploited by cyber attackers). The purpose of vulnerability assessments is to identify and prioritise the vulnerabilities, and provide recommendations for remediation or mitigation.
Vulnerability assessments can use various methods and tools to collect and analyse information about an organisation’s assets, threats, and controls. These may include:
Port Scanning – a technique that scans a network or a system for open ports, which are the entry points for communication and data transfer. Port scanning can help identify potential vulnerabilities and unauthorized services running on a network or a system, such as FTP, SSH, Telnet, or HTTP.
Vulnerability Scanning – using an automated tool to scan a network or a system for known vulnerabilities, such as outdated software, misconfigured settings, or missing patches. Vulnerability scanning can help provide a comprehensive overview of the security flaws and gaps, and suggest remedial actions and best practices.
Penetration Testing – a method that simulates a real-world cyber attack on a network or a system, and exploits its vulnerabilities to gain access, extract data, or perform other malicious actions. Penetration testing can help evaluate the security level and resilience of a network or a system, and identify the gaps and weaknesses that need to be fixed.
Web Application Testing – A tool that scans a web application or a website for common web vulnerabilities, such as SQL injection, cross-site scripting, broken authentication, and insecure encryption. Web application scanners can help detect and prevent web-based attacks that can compromise the functionality and integrity of a web application or website.
Access Control and Authentication Strategies
Access control is the process of granting or denying permissions to access data, resource, or systems based on pre-defined rules and policies. It ensures that only authorised users or devices can access the pre-defined, required data and prevents unauthorised access from outsiders and insiders. Examples of tools that facilitate this are on-premise Active Directory (AD) services, Azure Active Directory services, and Microsoft Intune Mobile Device Management.
Access control management requires that policies and procedures be collaboratively reviewed by IT teams and stakeholders (such as the Director of Operations and Department Heads) on a regular basis. This is a high-importance, yet low-urgency activity that is often neglected and the result is poorly pre-defined rules, and bloated (or unnecessary) policies.
Authentication strategies are used to verifying the identity of a user or device before granting access to data, resources, or systems. Authentication can use various methods, such as passwords, biometrics, tokens, or certificates to confirm that the user or device is who or what they claim to be. Authentication prevents impersonation, spoofing, or identity theft by unauthorised parties.
Access control and authentication strategies include:
- Least privilege access
- Multifactor authentication (MFA)
- Contextual access
- Single Sign-on (SSO) solutions
User Education and Awareness Training Strategies
The majority of successful data breaches start with a spear phishing attack making employees the weakest link in an organisation’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks guised as deceptive emails or messages (SMS, app, social network) used to trick them into revealing sensitive information or installing malicious files or links. Their vulnerability to such attacks highlights the importance of user education awareness and training strategies as part of a robust cybersecurity strategy. An informed workforce becomes a strong line of defense against potential threats.
To help our customers tackle the security challenges posed by social engineering, spear phishing, and ransomware attacks, VirtueUK have partnered with KnowBe4 – the world’s largest Security Awareness Training and Simulated Phishing platform. Their platform includes:
Baseline Testing to assess the Phish-prone percentage of your users through a free simulated phishing attack. See how you stack up to others in your industry.
User Training to create automated training campaigns (with scheduled reminders). Access to the world’s largest security awareness training content library, including interactive modules, videos, games, posters, and newsletters.
Simulated Phishing Exercises provide best-in-class, fully-automated simulated phishing attacks that pull from thousands of templates. Community phishing templates and unlimited usage mean you can continually assess the progress of your users and keep them on their toes.
Enterprise-Strength Reporting gives you stats and graphs for both training and phishing. The management-ready reports allow you to track your progress and demonstrate your ROI.
Wonder how big an impact it can have? One case study found implementation of KnowBe4’s Internet Security Awareness Training (ISAT) reduced the Phish-prone percentage of users at three companies by 75% in a four-week period.
Regular Software Updates and Patch Management
Outdated software is a common vulnerability exploited by cybercriminals. Software Updates and Patch Management are critical protection strategies.
Software updates
These include general software that runs on devices or networks such as operating systems, web browsers, email clients, and office suites. Software updates can improve functionality, performance, compatibility, or stability, as well as fix any bugs or security issues.
Examples:
- Microsoft – releases monthly security update for Windows 10
- Google Chrome – updates automatically every six weeks
- Adobe Acrobat Reader – updates periodically to address critical vulnerabilities.
System updates
These are updates for the specific system that supports a device or network, such as firmware, drivers, BIOS, or routers. System updates can enhance security, speed, reliability, or functionality of the hardware components, as well as resolve any conflicts or errors. For example, Apple releases firmware updates for Mac computers, Intel releases driver updates for its processors, Dell releases BIOS updates for its laptops, and Cisco releases router updates for its networking devices.
Application Updates
These are updates for particular applications that run on a device or network, such as antivirus software, firewalls, databases, or cloud services. Application updates can add new features, improve performance, compatibility (with Outlook, for example), usability, or fix any flaws or vulnerabilities. For example, Norton releases antivirus updates daily, Windows Defender updates weekly, Oracle releases database updates quarterly, and Fortigate releases firewall updates regularly.
To be effective, your strategy must include a well-documented patch management policy and schedule, including regular reporting as part of its governance process.
Network Security Solutions: Managed Firewalls, AV, VPNs
Network security solutions are tools and techniques that protect a network and its devices from unauthorised access, misuse, modification, or destruction.
Firewalls are software or a hardware device that monitors and filters the incoming and outgoing traffic on a network, and blocks or allows it based on pre-defined rules and policies. Regular review of your firewall rules and policies is a necessary part of identifying vulnerabilities in your environment.
Antivirus (or Endpoint Protection) is software that detects, prevents, and removes malicious software such as viruses, spyware, trojans, and ransomware from a computer or network.
Virtual Private Networks (VPNs) are a service that create a secure and encrypted connection between a user and a remote network, such as a corporate network or a public wi-fi hotspot. They protect the user’s online privacy and data. VPNs can help prevent cyber attacks such as man-in-the-middle attacks, where an attacker intercepts and alters the communication between the user and the network, or IP spoofing, where an attacker pretends to have a different IP address than their actual one.
Incident Response Plan (IRP)
An incident response plan (IRP) is a right-boom strategy. It is a set of policies and procedures that guides your organisation’s response to a cybersecurity incident with the aim of minimising the impact and damage of the cyber incident, containing and eradicating the threat, recovering normal operations, and learning from the experience. An IRP defines the:
- roles and responsibilities of the incident response team (IRT),
- communication and escalation channels,
- tools and resources needed to execute each step, and
- steps and actions to follow in each phase of the incident response process.
The Incident Response Plan typically consists of the following phases:
Preparation – the IRT prepares for potential incidents by:
- establishing the goals, scope, and priorities of the IRP,
- conducting risk assessments and vulnerability scans,
- developing and testing incident scenarios and response strategies, and
- training and educating the staff and stakeholders on their roles and duties.
Detection and analysis – The IRT detects and verifies the occurrence of an incident by:
- monitoring and analyzing the systems and networks,
- collecting and preserving the evidence and logs, and
- identifying the source, nature, and scope of the incident.
Containment and Isolation – The IRT isolates and contains the affected systems and networks from the rest of the environment, and prevents the spread and escalation of the incident, while maintaining the integrity and availability of the critical assets and services.
Need help developing your Incident Response Plan? VirtueUK can help. Our Strategic Consultancy engagements allow your SMB to affordably access the expertise of a CTO and CIO to help you assess (or develop) your various strategic documents.
Backup and Recovery
One of the most important aspects of a cybersecurity recovery strategy is the use of backup and recovery tools and platforms to help restore affected data and systems in the event of a cyber incident.
The benefits of backup and recovery tools include:
- Reduced downtime and disruption of business operations and services by enabling quick and easy restoration of the data and systems from backup copies.
- Minimised data loss and corruption by ensuring that the backup copies are reliable, consistent, and up-to-date, and that can be accessed and verified whenever needed.
- Protection of backup copies from unauthorised access, modification, deletion, or theft through strong encryption, authentication, and authorisation mechanisms, and secure storage.
Some examples of the tools and solutions that can be used for backup and recovery are:
Cloud Storage: Cloud storage is a service that allows users to store and access their data on remote servers over the internet, rather than on local devices or disks. Cloud storage is effective during a cyber incident because it can provide faster and more reliable access to the backup data than local storage, which may be damaged, compromised, or inaccessible due to the incident.
Some examples of cloud storage providers are Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, Dropbox, and Box.
Data replication: This is a process that involves creating and maintaining multiple copies of the same data across different locations, devices, or systems, so that they can be synchronized and updated in real time. Data replication can enhance the performance, reliability, and availability of the data, and enable fast recovery in case of failure or disaster. However, data replication also has some limitations in the event of a cyber incident.
- It may not prevent data loss or corruption if the incident affects the source data or the replication process, and the changes are propagated to the replicated copies. For example, if a ransomware attack encrypts the source data, the replicated copies may also be encrypted and rendered unusable.
- Data replication may not protect the data from unauthorized access or modification if the incident compromises the security of the replication network or the replicated locations, devices, or systems. For example, if a hacker gains access to the replication network, they may be able to intercept, alter, or delete the replicated data.
- Data replication may not be feasible or cost-effective for some types of data or systems that have high volume, velocity, or variety, and require high bandwidth, storage, or processing capacity. For example, if a system generates large amounts of streaming data (such as video or audio), replicating the data in real time may be challenging and expensive.
Snapshots: This is a technique that involves capturing the state of a data set or a system at a specific point in time, and storing it as a snapshot. Snapshots can be used to create backup copies of the data or the system, and to restore them to a previous state if needed. Snapshots can also save space and time by only storing the changes that occur after the snapshot is taken, rather than the entire data set or system. Some examples of snapshotting tools are Azure Backup, and VMware vSphere.
Disaster Recovery (DR) services are another right-boom recovery strategy vital to getting your systems operational as quickly as possible. But it should be noted that Disaster Recovery serivces like Microsoft Azure Disaster Recovery are not the same as cloud storage and backup. They differ in the following ways:
Cloud storage is a generic service that allows your business to store and access its data on the cloud, while Microsoft Azure disaster recovery services are a specific solution designed for your environment which allows an organisation to replicate and recover their data and systems on the cloud.
Cloud storage is a passive and reactive service that requires you to manually or periodically backup your data and restore it when needed. Microsoft Azure disaster recovery services are an active and proactive service that automatically replicates and recovers your data and systems according to the predefined plan.
Cloud storage is a standalone service that does not depend on the type or state of the data and systems, while Microsoft Azure disaster recovery services are a dependent service that requires the data and systems to be compatible and functional with the cloud platform.
Forensic Analysis and Learning
After a security breach, conduct a thorough forensic analysis. It’s essential to understand the nature of the attack as well as the extent of the damage, and the vulnerabilities exploited.
Learning from these incidents enables organisations to strengthen their security posture further. This makes it harder for similar attacks to succeed in the future.
Legal and Regulatory Compliance
Navigating the legal and regulatory landscape after a security breach is important. Organisations must follow data breach notification laws and regulations. Timely and transparent communication with affected parties is essential and vital to maintaining trust and credibility.
Interested in our Cybersecurity Framework?
Download our PDF describing each pillar.
Do You Know the Various Types of Cyber Attacks Out There?
Download and share our Cyber Attack Infographic to raise awareness about the types of cyber threats out there.
Want to Learn More About
Access Management?
Read our blog to find out why Access Management is essential to your data security.
Interested in a Free Phishing Security Test?
VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
Is Your Network Infrastructure in Need of an Upgrade?
Interested in Managed Firewalls?
Checkout the solutions we offer and see how our IT Infrastructure Projects can help your business prevent unexpected costs and implementation delays.
On the lookout for a Disaster Recovery Solution?
Partner with our expert team of Design Architects, Project Engineers, and Project Managers to explore, design, and implement the solution that's right for you.