Building a solid Data Privacy and Cyber Security stack
Building a resilient organisation is a key requirement in our digital world infused with cyber-crime and cyber-warfare. The two are interchangeable as bad actors in government can launch cyber-criminal activities to cripple key organisations in a country and claim to have no part in this.
Cyber-criminal activity is performed to make money. Cyber-criminals look far and wide for targets that have flaws in their security and can be compromised in many ways. This can be in the form of ransoms, extortion, fraud and theft.
Cyber-warfare is performed by a country either directly or through criminal networks to harm infra-structure, disable services and possibly render a country unable to perform certain functions both governmental and business wise. Cyber-warfare is very targeted at specific goals to further a specific purpose. An example would be the disabling of uranium enrichment in Iran or shutting down a power station in the Ukraine.
While data protection is one part of data privacy, it is a very key part in our modern world. The value of personal and other data is the current asset of our new economies and has enormous value as a marketable and exploitable commodity in the wrong hands.
Data privacy management is a key responsibility of any organisation. This is to ensure that the stakeholders of that organisation for example employees, customers, suppliers, patients, medical staff whose information is kept are protected from the exploitation of that information by the organisation itself or external parties.
In this article I would like to look at the elements of a data privacy and cyber security stack and how they all fit together to create a resilient, hardened organisation.
I have identified these as the main areas of focus for a pragmatic approach to building a solid security foundation:
- Technical staff
- General staff
- Data Privacy Compliance
- Cyber Security Governance Frameworks CIS, NIST compliance
- Technical attack prevention
- Systems Backup
- Disaster Recovery as a service
- NRAAS - Network Recovery as a service™
- Resilience and white hat activities
- Vulnerability scans
- Penetration tests
- Post event forensics
- Incident response
- Software development, security and privacy by design.
Cyber Security and Data Privacy Education.
I constantly come across organisations where people are absolutely, naively clueless about the threat landscape that lies just beyond their network devices waiting eagerly to enter. In fact, it can also just as easily be a malicious employee inside an organisation!
To me the 1st item is education which creates prevention. This needs to be appropriate to the people being educated. I know of a bank CEO who infected his bank with ransomware, it’s easy to click a link and regret it and yes, they should have known better, but why did that email get through, what were their IT Security staff doing?
At an executive level education is about making the executives aware of the risks they are exposed to and enabling them to understand the level of budget that they need to have to focus on data privacy and cyber security.
There is a massive shortage of skilled data privacy and cyber security experts both at a theoretical and a technical level. For an organisation to be able to build the necessary capabilities they must either outsource to external consultants or train up their own technical staff. Either way there needs to be technical skill in understanding the requirements to build robust infra-structure and manage risk and compliance.
Email is a major threat vector for data breaches of many different kinds, there are technical solutions which filter a lot of malicious emails out, however staff still need to be trained to identify various attacks with a note that these are becoming more and more sophisticated and difficult to identify. In some cases, these target specific individuals and have inside information about them to create an email scenario that is extremely hard to identify as an attack.
Governance and risk management.
Governance and risk management is the key to actionable outcomes. Following a governance program for both data privacy as well as cyber security will, if done properly provide a framework to identify all addressable areas and an understanding of how to allocate the budget for these.
Governance is an ongoing task, and reviews are essential as dynamic organisations change and morph over time.
Data Privacy Compliance.
By 2023 over 65% of the world population will be protected by some form of data privacy regulation that organisations keeping their data will need to conform to.
Data Privacy compliance in most cases requires effort in the following areas:
- Consent and marketing.
- Human resources.
- IT and security.
- Governance with policies and privacy notices.
- Communication of policies and understanding of these by staff and other stakeholders.
- Vendor management and data protection addendums to vendor contracts where relevant.
- Data protection impact assessments.
- Data Subject Access Requests
- Breach management and recording, including potentially notifying regulatory authority as well as people whose data has been compromised.
A well-managed and well-communicated data privacy program adds value to an organisation and contributes in many ways to its sustainability in terms of:
- Mitigating losses from data breaches.
- Enabling agility and innovation.
- Achieving operational efficiency from data controls.
- Making a company more attractive for investors, this aspect is becoming a part of any due diligence during M&A activities.
- Building loyalty and trust with customers, staff and suppliers.
Using a Cyber Security Framework.
Recommended guidelines for a cyber security and data privacy budget estimate about 8 – 14% of the total IT budget. I would class the data privacy budget out of IT as it encompasses different areas of an organization.
So this amount can be a fairly significant investment and needs to be implemented as a budgetary amount where it can work the hardest. This is what a cyber security framework review enables, determining where the budget can be best spent.
There are various cyber security frameworks, CIS and NIST being two of the most well-known.
CIS – Center for Internet Security states “Developed by the Center for Internet Security (CIS), the CIS Critical Security Controls are a prescriptive, prioritized set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks and support compliance in a multi-framework era”.
NIST – National Institute of Standards and Technology (USA) states “The NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology based on existing standards, guidelines, and practices”.
Either of these and many others will take you through a quarterly or bi-annual review that will reveal the cyber health stance of your organization and ideally show you the actions that you need to take to create a hardened, robust and resilient position.
Technical attack prevention.
There are many different types of cyber-attacks that can take place, these include:
- Denial of service attack.
- Malware outbreak.
- Phishing attacks.
- Privilege escalation.
- Ransomware attacks.
- Unauthorised Root access.
- Virus outbreaks.
- Data loss incidents.
- Data theft incidents.
Some of these require human intervention for prevention, some a technical solution and some a combination.
Key methods and protocols to follow in order to technologically prevent attacks are:
- Keep operating systems and software fully up to date.
- Ensure all end-points have protection, desktops, laptops, mobile devices are all access points for security threats and it is best to invest properly in security software for these.
- Install the required firewalls, this will block brute force attacks before they can do damage.
- Backup your data, obviously a critical control, amazingly done very badly in some organisations.
- Ensure access control in your premises is controlled, if you are targeted one of the methods of attack is via physical entry to premises and then infecting devices.
- Securing wifi connectivity so only permitted devices can access.
- Ensuring users access systems only with their own login accounts, NOT having group accounts.
- Ensuring user permissions are set to only what they need to be able to do for their roles.
- Being able to white list and black list software ensuring only authorised software can be installed on devices.
- Forcing password changes and ensuring good password practice.
Having been the co-founder and Joint CEO of an online backup service with 15,000 B2B client for over 13 years, I was often amazed at the complete lack of understanding on organizations of the critical nature of data and systems backups, and literally had people crying over the phone over their lost data due to incorrect backup selections and various errors.
Critical data backups are the most basic form of building resilience from disaster and attack.
A data backup forms the fundamental requirement to rebuilding a system and getting a fully running service back in place.
Key issues with backups are testing, testing, testing – there should be consistent no failure backups in place. What is the cost of not being able to restore an hour, a day, a week, a month’s worth of data?
Nowadays there is NO reason to backup to a tape or to a device on your own premises, in fact should your servers even be self-hosted for most organizations?
Backups are critical, they must be monitored and tested. You should know the RPO and RTO for your backups and determine if they are right for your business – RPO – Recovery Point Objective (remember you can only restore from your last successful backup , when did that happen?) and RTO – Recovery Time Objective – how long does it take to restore services from backup and have live systems running again, once again, how much does it cost when unable to restore a system in an hour, a day , a week, a month? These types of disasters can destroy a business.
I personally would recommend moving to a full systems backup scenario with DRAAS built in (Disaster Recovery as a Service).
An important note is that even if hosting in the cloud, this does not ensure your systems are being automatically backed up – you must check and ensure this.
Disaster Recovery as a service (DRAAS).
DRAAS is a combination of full systems backup and a service that will restore your server infra-structure into a hosted cloud solution within a pre-agreed time. This is backup with a tested and documented recovery plan in place. According to ISO27001 you should do a full disaster recovery simulation at least once per quarter.
A comprehensive DRAAS solution from a supplier can potentially offer you the technology to recover your full services in 30 seconds, obviously today at a high cost, but you can opt for a slower RTO. These services should include a quarterly disaster recovery simulation where everything is restored in a new environment and users can test the system and the RPO – up to how long ago was the data recovered.
I would highly recommend putting in place backup and DRAAS service for critical infra-structure. The most important thing is to hold the service provider accountable to the required RPO and RTO and to run the necessary simulations.
Backup and disaster recovery are more and more being referred to as BDR, they should be managed as one.
NRAAS - Network Recovery as a service™.
NRAAS is a new concept that is provided by very few managed service providers. It is highly complex and involves replicating the network structure in the recovery environment to match the minimum requirement from the client organisation for that organisation to be able to recover the infra-structure servers and the network services to enable users to logon and use the recovered services ALMOST seamlessly.
When done correctly in combination with DRAAS, a simple DNS change is all that is required at time of disaster or simulation to point users to the new recovered environment and allow them to continue working.
Resilience and white hat activities.
Building cyber resilience in an organisation is done to enable it to anticipate, withstand and recover from adverse cyber events. Really, it’s about being able to continue with normal operations while preventing, detecting, controlling, and recovering from threats to data and infrastructure.
Cyber resilience is made up of four elements:
- Manage and protect – Identify, assess, and manage risks from network and information systems.
- Identify and detect – Security monitoring and active detection.
- Respond and recover – implementing an incident response management programme - see incident response below.
- Govern and assure – ensure cyber security is a top management priority and is built into the business through security and privacy by design.
The benefits of implementing a cyber resilience program are obvious and include:
- A reduction in financial loss from cybercrime.
- Meeting legal and regulatory requirements, CIS, NIST and then various global data privacy regulation which require a proper IT and Security program in place.
- It should improve internal processes and force a review of these.
- Protecting your brand and reputational risks.
White hat hackers or ethical hackers are cyber security and IT experts who use their skills for good. They are typically working as consultants or in house and perform various testing of IT networks and infra-structure to ensure these are impenetrable.
It is critical and should be part of any IT project to engage cyber security professionals to perform penetration tests and ongoing vulnerability scans.
Cyber Incident Response.
Cyber Incident response is something you want to be prepared for but never actually have to do in real life. Building attack response plans and rehearsing them is crucial as being prepared when the world around you appears to be disintegrating (literally with a ransomware attack you can see files being encrypted) is advantageous.
A calm, measured, structured response where the issues are identified, isolated, forensic evidence is a gathered and plans are executed to rebuild systems is essential.
The organization may need multiple teams at work, those identifying and isolating the problem, those in the background beginning disaster recovery procedures to bring up systems in an alternate location, and those gathering evidence to build a forensic knowledge base of what has happened to ensure hardening and resilience building once this event is completed.
I would recommend building cyber incident response plans in the following manner, firstly an overarching plan that is executed for any cyber incident, this enables the identification of the type of incident. Thereafter a cyber incident response plan per type of incident must be created. Ideally one can purchase pre-built plans covering this functionality and then adapt them to your specific organization.
Software development, security and privacy by design.
If your organization does any software development or has systems built for it, or consumes SAAS solutions that are hosted, you need to consider the security of the software powering those systems.
Software systems are layered, they run on hardware located in data centers, on servers with operating systems and 3rd party integrated tools, they use database software to store information, they have server side and client-side functionality. They are super complex and security in these environments needs to be fully understood and wherever weaknesses and risk are identified these need to be mitigated.
This is a huge subject and books have been written about it. A quick entry point to understand more is to look at the OWASP top 10. OWASP (Open Web Application Security Project) is a non-profit that works to improve the security of software. Their mission is “No more insecure software”.
Their top 10 security risks for 2021 were:
- Broken access control.
- Cryptographic failures.
- Insecure design.
- Security misconfiguration.
- Vulnerable and outdated components.
- Identification and authentication failures.
- Software and data integrity failures.
- Security logging and monitoring failures.
- Server side forgery.
It is a lot to think about and a lot to deal with. Most organisations want to have a more robust security stance, but do not know how to go about it. The skills available are also in very high demand, there are over 3,500,000 open cyber security jobs worldwide.
How to get started is to go through all the areas discussed here and implement the required solutions, it can be incremental, it can be in stages, it can be budgeted for over time, but BEGIN.