Protect Everything, Harden What’s Critical

When prioritising cyber security objectives, it’s tempting to identify what you deem to be business-critical and focus your investment of resources in this area. Whilst taking this approach will no doubt improve your resilience, there is a danger of overlooking other key components of your operations. As well as the possibility of ‘cumulative critical impact’, vulnerabilities in these key (but non-critical) components could also provide an attacker a back door into your well-protected critical systems.

For example, even an air-gapped isolated network is vulnerable to cyber attacks if files or software applications are being manually uploaded or updated from other internet-connected networks within your internal infrastructure or supply chain. Another example would be if only technology is applied as a protection measure without addressing education and culture. All the technology available today will still not necessarily prevent human error, or a malicious action, from inside your security perimeter creating a vulnerability or breach.

When conducting due diligence projects, our approach at CYSIAM is to identify whether appropriate cyber security measures are in place across an organisation, and where necessary additional hardening of defences are in place to protect what’s critical. We conduct technical and non-technical assessments of the following:

• Governance
• Policy, process & procedure
• Technology
• Data handling
• Education & culture
• Physical environment
• Supply chain

We then, in consultation with our clients, conduct specialist action and analysis such as penetration testing, digital forensics, insider threat, and threat intelligence in areas that are agreed as business-critical. Business criticality can be measured as a factor of likelihood of attack x level of consequence with consequences such as financial impact, loss of reputation, interruption of service, and legal non-compliance being considered amongst others.

As with any tailorable assessment process, the scope for consideration should be one of depth, not breadth. All areas should be in scope with risk-based decisions made around how deep the assessment activities should go. This decision is often based on finance and resources available, or maybe time constraints, particularly in investment scenarios. This could well result in a drive to focus on protecting critical systems and data, but we must recognise that everything interacts in a digitally-connected organisation and threat actors are opportunistic and indiscriminate.

A holistic approach to conducting the basics well is still the best defence against the evolving cyber threat.