Combating cyber warfare is all down to preparation
During a cyber security incident, people are acting under stressful conditions and “not at their prime”, so it is not an ideal time to test out capabilities, strengths or weak points – which does not bode well in crisis or incident management.
Lisa Forte, founder of UK's Red Goat Cyber Security, emphasised the importance of preparation in her keynote address at the ITWeb Security Summit 2021.
Forte is an expert in social engineering, insider threats and helping large companies rehearse for a cyber attack, and was named one of the Top 100 Women in Tech.
“During an incident, things are not calm. Things are moving at a pace, so it’s really not the time to find out what dependencies you have in your system, or what major issues you have in your infrastructure, or what data you have and where that data is. This is not the time to figure that out, you need to figure that out before it happens,” said Forte.
But having a plan in place is not enough, Forte added. “We need to actually exercise those plans, we need to practise them and drill them. By practising how things work, who we call, when we call them, how we work as a team, what decisions need making when, we’re actually drilled the process, so if it does happen, a lot of that can be sort of muscle-memory… because we’ve got to be making decisions and that is how we survive any incident – to keep making positive decisions.”
Another weak link in the digital armour protecting organisations is the lack of redundancy built into their protection and business continuity strategies, according to Forte.
“A lot of the times when I am working with companies, one thing that I realise is that everything is down one trail of thought, one plan and there’s no redundancy built in. So, for example, something really important like the plan, like the playbooks for an incident aren’t printed off. So if you can’t access the network, you can’t access the decision tree and the plan that you’ve written that’s now on the network, so you’ve got no backup, no way of achieving that goal through a different set of processes. And that is why we need redundancy.”
Forte emphasises that there is no silver bullet within the cyber world and this includes redundancy and deployment of redundant systems.
Organisations cannot simply build layer upon layer of redundancy and expect all problems to disappear. “As you build more and more redundant systems, you add complexity, you add more complicated infrastructure and systems, and that can also have plenty of issues that can go wrong. You’ve got more components that need to be checked, components that need to be maintained, need to be installed correctly; you need to monitor how they are running.”
Forte says research shows that redundancy actually increases risk-taking.
“This may not come as a surprise to you, but if we feel we have some failsafe, we are more likely to take risks, when, if we didn’t, perhaps we would be more cautious.”