You need to have a fine balance of where to focus your energy in order to get the maximum value with the available resources
Cybersecurity moved to the top of our agenda following a raft of stories about the disasters some companies faced in this arena.
The CIO conferences and networking with CIOs also steered our focus towards cybersecurity.
Before this, we were always talking about our legacy environment, easy to crack passwords, etc. but never had a clear strategy on how to approach it.
We have always talked about reducing our cybersecurity risk in the business, and the need to make staff more aware about email phishing.
Out of these conferences, we started researching around how other businesses are tackling these daily threats and the threat landscape.
We came across the NIST (National Institution of Standards & Technology) Cybersecurity Framework. This is a very good starting point for anyone that wants to start on their cybersecurity journey.
This framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritised, flexible, repeatable and cost effective approach of this framework helps us to manage the cybersecurity risk. This framework provides a common language that can be easily understood at various levels of the business.
The five elements of the NIST framework are:
We realised immediately that we won’t be able to achieve everything immediately as like any other business, we are constrained on the resources (people, money and time). We started simplifying this framework to suit our needs.
This simplification lead us to IDENTIFY the top five assets (including any related assets) that we need to protect. We brainstormed across the business on the potential events that could be seen as a threat to the identified asset protection. We have then assigned a risk score based on the likelihood of the event and the impact if it happens (this score has considered the existing mitigations that are already in place inside our business).
To PROTECT the identified assets, it is important to review the current protection measures in place (existing mitigations). For each of these events we have identified and reviewed our existing mitigations that reduce the likelihood and impact. This gave us the opportunity to propose new mitigations that would potentially reduce the likelihood and impact. This resulted in various actions that we need to take. We were able to clearly identify how we can reduce the likelihood of a cybersecurity event. Our initial focus was to reduce the likelihood of an event happening rather than on reducing the impact. You need to have a fine balance of where to focus your energy (whether to reduce the likelihood or reduce the impact) to get the maximum value with the available resources.
This exercise helped us to bring awareness around cybersecurity at the senior management level in the business. This helped us direct resources towards reducing our technical debt, introducing 2FA, password protection,data security, improved identity management and reduce email phishing. Last but not least, is creating awareness across the entire business(on reflection, we think we should do more in this area and this needs to be an ongoing exercise to improve).
In 2017, we partnered with a trusted security team to help us on our cybersecurity journey.
It is important to plan how you will respond during an incident
We conducted penetration tests with them in our environment including the opportunities to compromise the physical security barriers. This identified the weak areas to focus from a technical standpoint. This reminded us to train our developers to think about security in the code they write, test and deploy everyday (of course, we do upskill our staff on a regular basis and assist with their career progression).
A very interesting outcome of this exercise was a physical security breach into one of our offices. As part of the awareness exercise, we were able to tell this story across the business.
This was well received by our branch managers and staff as part of the security awareness exercise. They were quickly able to relate to the story and the potential damage it could have resulted in.
Over the course of 2017 and 2018, the team focused on protecting our key assets and making all the necessary security improvements (Yes, this will be an ongoing exercise to protect our key assets).
In the last 12 months, while still ensuring that our key assets are protected we started looking at how we can DETECT any cybersecurity events before they happen. We have implemented tools to monitor any anomalies in the network behaviour. We have also implemented tools to continuously monitor the quality of code being deployed and improved monitoring of the overall environment.
In the last 24 months, our business has established the communications team that we can leverage when we have to RESPOND to any incidents.
We have recognised that it is important to plan how you will respond during an incident. As we are getting stronger, our scope now includes necessary response planning and improved communication.
In the past, businesses were only focusing on recovering from disasters and would have established necessary disaster recovery plans with necessary RPOs and RTOs. We were no different. However, we have beefed up our efforts to RECOVER from cybersecurity threats.
Improving our security posture is an ongoing journey at Barfoot & Thompson.
Anil Anna is the IT manager of Barfoot & Thompson, New Zealand's largest privately owned, non-franchised real estate company. He joined Barfoot & Thompson in 2008 as senior analyst IT operations and progressed to his current role, where he is also the 2IC to CIO Simon Casey. He has completed the 'Strategic CIO Programme' from The University of Auckland Business School.
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.