Building cyber resilience in an unpredictable world
In today’s interconnected and digitally dependent world, where technology permeates every aspects of our lives, organisations face an ever-evolving landscape of cyber threats and vulnerabilities. The modern world is characterised by unpredictability. The digital transformation has ushered in unprecedented opportunities for innovation and growth, but it has also exposed us to a new level of unpredictability in the form of cyberattacks. To thrive in this dynamic environment, building cyber resilience has become paramount.
Leaders of government and military organisations are pushing through digitalisation projects with the aim of improving the services organisations provide to citizens and businesses, but can fail to recognise that additional layers of technology on top of legacy core systems can create extra cyber risks. It is just one of the challenges highlighted by The World Economic Forum (WEF), which has published its Global Cybersecurity Outlook 2023. The report reveals that one of the biggest concerns for organisational as well as cyber leaders is now geopolitical instability.
The ‘permacrisis’ fuelled by conflict across the world has helped to narrow the perception gap between organisational and cyber leaders, says WEF, and over 90% of respondents in its research now believe that a far-reaching, catastrophic cyber event is likely to happen
in the next two years. Given the apparent inevitability of future cyber events - and the fact that leaders struggle to balance the value of new technology with the potential for increased cyber risk in their organisations - how can governments and military organisations protect their valuable data and avoid financial and reputational risk?
Who is involved, and what is their motivation?
The UK’s Parliamentary Office of Science and Technology (POST) says that it is often difficult to identify exactly who is behind cyberattacks on government bodies. This is for two main reasons, it says: the first is that an organisation may not even be aware that they are under attack, as many incidents are designed to steal information ‘under the radar’ without alerting security teams that they are ongoing.
The other is that states increasingly use criminal gangs for hire to undertake attacks, so that their own role is hidden.
“States may conduct operations through their security and foreign intelligence agencies or via non-state proxies, such as private contractors,” says POST. “[Security service] MI5 says that cyber espionage allows hostile actors to steal large volumes of information remotely, cheaply and with relatively little risk to personnel. It may also make it easier for states to deny involvement, for example, by using a criminal group to act on their behalf.”
Where financial gain is the motivation, rather than espionage, incidents can include everything from spear-phishing attacks to ransomware, where criminals infiltrate systems and threaten to damage them if ransoms are not paid.
The risks at play
One of the challenges for governments is that the number of devices connected to the internet continues to proliferate, including smartphones and internet of things (IoT) appliances. The potential points of entry by hackers to access core data and applications with cyberattacks are more numerous than ever before, and are set to multiply still further in future.
The risks for government bodies are specific: without cyber resilience they will fail to fulfil their duty as guardians of the public realm, and as delivery agents for crucial services. The stakes are high, as McKinsey states in a recent report,1 “With every new device, user, and business that connects to the internet, the threat of cyberattacks increases. If a government cannot provide secure and trusted digital connectivity, societies can’t prosper and economies won’t thrive.”
Just like private businesses and corporates, government bodies can suffer from both financial and reputational risk as a result of cyber incidents such as ransomware attacks. Their activities can also be brought to a complete halt through denial of service or distributed denial of service attacks.
A recent example of a cyber incident is the ransomware attack by a group called CLOP. The attacks were said to have exploited a security flaw in a commonly used file
transfer programme called MOVEIt, and affected US state agencies in Missouri, Minnesota and Illinois. The attack highlights the ubiquity of incidents such as this: the group targeted the same programme used by Johns Hopkins University in Baltimore, as well as private sector businesses in the UK such as the BBC, British Airways and Shell. Once a group identifies a vulnerability in a piece of software, they can transfer their efforts to any sector or industry before the software vendor can issue a patch to fix the problem.
Taking action
In taking action, here are some of the principles and key strategies to consider:
Risk Assessment and Threat Intelligence
understand your organisation’s vulnerabilities and the evolving threat landscape. Regularly assess risks and gather threat intelligence to ahead of potential threats.
Robust Cybersecurity Measures
Invest in strong cybersecurity defences, in-depth security layers, and encryption as the last line of defence. Regularly update and patch OS software and applications to protect against known vulnerabilities.
Employee Training / Knowledge Transfer
Human error remains a significant factor in cyber breaches and incidents. Train employees/personnel in cybersecurity best practices, including how to recognise and report any possible breach attempts.
Incident Response Plan
Develop a comprehensive incident response plan that outlines clear procedures for identifying, containing, mitigating, and recovering from cyber incidents. Test the plan/s through simulations/drills and table-top exercises.
Data Back-up and Recovery
Regularly back-up critical data and systems, and store back-ups in secure off-site locations. Implement a robust data recovery plan to minimise downtime in case of an incident.
Third-Party Risk Management
Assess the cybersecurity posture of third-party vendors and partners. Ensure they meet the security standards being set and have appropriate controls in place.
Continuous Monitoring
Employ advanced threat detection and monitoring tools to detect anomalies and intrusions in real-time. The ability to respond quickly is crucial.
Regulatory Compliances
Stay compliant with relevant cybersecurity regulations and standards. Compliance often sets a minimum baseline for security practices.
Cyber Insurance
Consider this to help mitigate financial losses in case of cyber incidents. Understand the coverage and limitations of your policy.
Cybersecurity Culture
Foster a cybersecurity-conscious culture within your organisation.
Make security awareness a part of daily operations, and encourage reporting of any suspicious activities.
Regular Updates and Adaptation
Cyber threats are constantly evolving. Continuously assess and update your cyber resilience strategies to stay ahead of emerging threats.
Collaboration and Information Sharing
Engage in information sharing and collaboration with industry peers and government agencies to stay informed about new threats ad best practices.
In an unpredictable world, cyber resilience is not an option but a necessity. Through the above principles and key strategies, following it and at the same time making cyber security a core part of an organisation’s culture, you can better withstand the ever-changing threats in the digital landscape and ensure business continuity in an unpredictable world.
This is why it pays for government bodies to share incident information with peer organisations as well as corporates. One of McKinsey’s key recommendations for national governments is to establish multiple sources of threat intelligence, as the UK government did back in 2013. The Cyber Security Information Sharing Partnership features a platform where the government and the private sector can share threat intelligence quickly and confidentially.
What other measures should national governments be taking, if they haven’t done so already? McKinsey says that there are five important elements of a cyber resilience strategy:
- A dedicated national cybersecurity agency (NCA): setting up a centralised agency to take responsibility for regulation and governance.
- A National Critical Infrastructure Protection program: protecting infrastructure such as energy, transport and healthcare from attacks.
- A national incident response and recovery plan: building a clearly defined reporting procedure for citizens and businesses and active monitoring for cyberthreats.
- Defined laws pertaining to all cybercrimes: creating robust substantive and procedural cybersecurity laws, such as those defined by the Budapest Convention.
- A vibrant cybersecurity ecosystem: developing a network of accredited cybersecurity service providers, training providers, and entrepreneurs.
Underpinning all of this activity are the normal, but crucial, steps government organisations should take, including strong encryption, staff training, constant monitoring for threats, updating/protecting IT systems, and setting up secure access and control systems.
The need to provide digital services for citizens and businesses will never recede. Governments the world over need to take the important steps necessary to safeguard their systems and data, and continue to provide the services required to support a fully functioning society.
Building cyber resilience is an ongoing process that requires commitment and adaptability. In an unpredictable world, organisations that prioritise cyber resilience are better equipped to navigate the challenges posed by cyber threats. By taking a proactive and comprehensive approach, businesses cannot only protect their assets and reputation but also ensure their long-term sustainability in the digital age.
At Asperiq we fully recognise that encryption is the foundational building block of a solid cyber defence and very often it represents the Last Line of Defence against sophisticated cyber-attacks. Encryption is not to be taken lightly; it stands as the ultimate guardian of communication. Asperiq's quantum-secure IP-VPN encryption technology is rooted in a Hardware Security Trust Anchor developed in-house by our foremost security experts.
Contact us to find out more about how we can help you to build a quantum safe encryption infrastructure. Contact@asperiq.com
