Below are answers to the questions asked during the webinar
Q: Getting board buy-in is a significant challenge for me, it feels like we need to evidence return on initially small investments before asking for more budget. Is this the right approach, and is it easy to show ROI on a smaller or standalone purchase? Evidencing ROI seems difficult given the binary nature of cyber security: if we don’t suffer a breach then it’s great (and we may not need more budget), if we were to suffer a breach, then there would be questions about what we’d done before…
A: Start with a smaller, well-defined projects to reduce risk. And make sure you clearly articulate the benefits of these projects. Build your business case, including the impact cost of the risk, and the mitigation cost of the project. Set timescales for when the board will see the benefit. And engage positively with them. Make sure you follow up as you start seeing benefits. So the board are more likely to trust you with investment in the future. Use content and advice from a 3rd party subject matter expert, as it will give your business case a bit of weight.
Q: You mentioned approaching the Board with the question “How much would you pay to get service back?” Great question, but I know the response will be “How long would we be without it?” in order for them even to consider a response.
If a ransomware attack were to occur, and access was denied to critical systems, how long would you anticipate it would take to get that access back?
A: You’ll have to assume that if you don’t pay a ransom, you’ll never gain access to the critical function as it was. You might be able to restore from a backup. But how long that will take is a bit like asking ‘how long is a piece of string?’ As it’s very dependent on how robust your back up and recovery process is.
So you’d ask things like ‘how practised is your back up and recovery process?’ and ‘Do you have a back up and recovery process?’
How quickly you can back up and recover will depend on the processes you have in place. So only each individual business can answer that. But I think it’s definitely worth considering, and a very good question to ask.
Q: You talked about user misadventure. What did you mean by that?
A: User misadventure is a broad definition for disruption that’s caused by a legitimate user. This can either be through coercion, influence through social engineering, phishing or business email compromise or through simple human error.
Q: How do you know what you should focus on to get board buy-in?
A: Every network is different, but every network has vulnerabilities and access points. So you’ll need to understand what those vulnerabilities are, and assess the risk they represent to your business.
Think about how close they are to your critical function. For example, administrators of a critical function might be using desktop assets to access a critical function. So securing that desktop is critical. And monitoring activity on that desktop or from that user is equally critical. So you might want to start there. But it will be different for each business. We can always help you figure out what your priorities would be.
Q: How often should I be testing our cyber security response? And what does a good test look like?
A: A good test should be carried out by an external subject matter expert to make sure it’s carried out properly. It should include risk owners, system owners, resolver groups and security providers (where possible). And it would also be good to involve board members. The test should be driven by scenarios that are relevant to your organisation. And lessons should absolutely be recorded accurately. There should be no negativity when it comes to any gaps and vulnerabilities you expose. Instead, the business should see these as opportunities to mitigate and strengthen.
Realistically most organisations don’t have the bandwidth to conduct these tests monthly (or sometimes even quarterly). But you should test at least half yearly without board participation. And certainly, annually with board participation.