Organizations should follow the CERT UK’s lead to build improved cyber resilience in readiness for attack, the director of the government-backed body told Infosecurity Europe 2015 attendees today.
On the last day of the show, Chris Gibson outlined the UK Computer Emergency Response Team’s four point plan, claiming it’s “what everyone should be doing.”
This begins with incident planning and handling – ensuring teams know what to do in the event of a major attack, and having the capability to “manage down” any smaller incidents so they don’t escalate into more serious cases.
Next comes situational awareness, gained from monitoring open source channels, news sources, vulnerability feeds and more.
Finally, organizations should talk to colleagues, peers and others in the “ecosystem” to share information and best practice, Gibson advised.
“If you haven’t been hacked believe me it’s because you don’t know you’ve been hacked,” he argued. “You should have all of [these steps] in place before you come under cyber attack.”
Telefonica UK head of cyber response and IT security, Tom Mullen, added that IT leaders would do well to institute a culture of continual improvement; testing and auditing systems, and updating whenever they encounter major weaknesses.
After an attack is the perfect time to reassess if everything worked as intended, what could be improved in the future, and who will manage, own and deliver any improvements, he explained.
Experts on the panel agreed that planning for a major cyber attack should also extend to what the organization’s public response should be.
All stakeholders including PR, comms, legal, and others should be included in the “bridge calls” to ensure everyone knows what their role will be during and post-incident, argued Mullen.
Gaps in supply chain security need to be filled more effectively, according to CERT UK’s Gibson.
Organizations were advised to use the government’s Cyber Essentials certification scheme to bring up standards far down the supply chain.
“I’ve seen more than enough examples to know it’s not where it needs to be,” argued Gibson.
Telefonica’s Mullen claimed supply chain issues could be pre-empted by stronger contracts backed up with regular audits and spot checks.
However, Department for Work and Pensions head of cyber response and IT security, Jon Townsend, claimed organizations should first ask questions of themselves, such as “am I being an intelligent customer?’.”
“Rather than beat them up with a contract, work with them to get it right,” he argued.