This guide is intended for senior technologists and tech-aware execs in small and medium size firms, especially rapidly scaling startups. It’s not meant for very large businesses or security professionals, and it’s certainly not meant to replace their advice.
A sad truth of the internet age is that it’s almost as easy to start hacking a business as it is to order Sharpies on Amazon. Any part of your business that is exposed online — even if it’s only an email address — is not just a target for attackers, but is almost certainly being attacked already.
Fortunately, these attacks are a little bit like bacteria — mostly harmless and often quite good for you in moderation. This cyber-security background noise should encourage our companies to develop healthy cyber-immune systems.
But, also like bacteria, some attacks are decidedly harmful and pose a significant threat to our business health. The intention of this guide is to introduce a sensible, moderate approach to staying healthy in a scary world.
Good security is grounded in good risk management
The foundations for all good, measured, cyber security are grounded in good risk management. If you’ve not come across standards for risk management, you can think about it this way: the purpose of risk management is the protection of value at appropriate cost.
Your company’s approach to cyber security should be an extension of your overall risk management process, rather than something which happens in isolation within the technical team. If you don’t have a risk management process, don’t worry — we’ll introduce some of those concepts in this article.
Risk management used to be perceived as dry, bureaucratic and the preserve of big organisations. However, establishing some simple processes — a risk register and a quarterly risk review with the management team — are all it takes to get started on your journey.
Importantly, technology risks only comprise a part of this process and should sit alongside other risks, like loss of key staff, key customers or economic downturns. This gives a forum for an executive team to compare different types of risk side by side.
We sometimes claim that the best way to keep a business safe from cyber threats is to lock all your data in a safe and drop it in the deep ocean. That might be safer than storing it on AWS, but it’s likely to be quite preventative to doing business. In most companies cyber security spending is too low, but the opposite can also be true: sometimes security provisions can be onerous to the point of preventing profitability. Compromise is the name of the game, and good risk management is the best way to get this balance right, setting the scene for appropriate controls against technology threats.
Why Cyber risk isn’t really Cyber at all.
One of the problems of high profile cyber attacks is that they unduly focus executive attention on external technology threats and ‘the cloud’. In reality the risks are often more mundane — email phishing, misconfiguration and supply chain risk are increasingly the most common routes for businesses to suffer losses. People, not technology, are normally at the heart of these risks.
Looking at the fastest growing threats, Symantec have claimed that supply chain attacks (where your business is exposed to risk through a partner or supplier), have increased by 78% in 2018 over the previous year. Much of the ‘how-to’ section of this document focuses on managing supply chain risk, by extending good internal practices to your suppliers.
It’s been claimed that 90% of all cloud-based security issues were due to misconfiguration, the root cause nearly always being a case of human error on the company’s side, which highlights the importance of reviews and change control for configuration changes.
Finally, it’s also claimed by Proofpoint that more than 99% of cyber-attacks rely on human interaction, with criminals turning to fraudulent emails, credential theft and uploading malicious attachments, methods which are easier and more profitable than the type of targeted, ‘hacking’ attempt we see glamourised in films. Business Email Compromise (BEC) is on the rise — a Toyota subsidiary recently lost £30m to a scam directing payments to be made via nothing more secure than email.
Given this threat landscape — exploitation of commonplace tech like email, mistakes made in configurations, and the expanding scope of supplier risk — we put together this guide to explain and help you address the most common risks to your business.
What’s appropriate for your business?
New startups and small businesses
If you’re a brand new business, or an established business with less than 10 staff, compliance and enterprise risk can seem like a distant worry. Even so, you should consider how you take and store any data from customers (especially if you’re based in, or trade in, Europe where you’re required to meet the GDPR standards). You should also think about how you allow access to contractors, suppliers or temporary staff to your systems.
The UK government’s Cyber Essentials certification is a great start for any small business, regardless of which country you’re based in. This is a checklist of good practices related to tech throughout your business which is a baby-step towards the full ISO27001 information security standard. The basic Cyber Essentials certification can normally be achieved in 1–3 months.
If you are building your own applications you should follow existing guides from industry experts. For example, Amazon have created their guide to cloud infrastructure patterns, AWS Well-Architected and Microsoft’s Secure Development Lifecycle guidelines are highly regarded. These patterns will make your life much easier as you scale and give your team a clear set of well established playbooks to crib from.
Established Startups, Scale-ups and SMEs
For businesses with significant investment, customer information, revenue or an established brand you should definitely be meeting the recommendations for small businesses (as above). In addition, you should follow the playbooks in this article around supply chain and cloud best practices to help secure your business.
If you are in a regulated industry or are a B2B company selling to enterprise clients, we strongly recommend you consider making a commitment to achieve ISO27001 certification. Companies selling to enterprise clients (and startups seeking investment) are regularly subjected to external technology audits. Achieving ISO27001 certification puts you in a very good position to sail through these otherwise time-consuming exercises.
Larger Organisations, or high compliance industries
This guide really isn’t aimed at you if you’re in a large organisation — you should have well developed risk and information security functions that support your organisation, but we hope that this article will give you a few discussion points to raise with those teams.
The types of risks you’ll face
The number of creative ways that threats can damage your business are almost beyond counting, but the number of overarching types are limited to some major types:
- The inability to trade or transact
- Brand and Reputation damage
- Data Breach
- Data Leakage
Let’s look at these in detail, with examples of how these might impact your business to give you a background into why it’s important to have a process to mitigate these risks.
The inability to trade or transact
Perhaps the most concerning category, these risks could stop you conducting business.
Physical failure of infrastructure
Your office or datacentre (even if it’s in the cloud) is destroyed by a natural disaster.
Malicious destruction of systems or data
A hacker or disgruntled member of staff alters code, damages servers or deletes databases
Distributed Denial of Service (DDoS)
An external organised crime group floods your website/app with traffic and demands that you pay a fee to stop the attack
A hacker uses a virus to encrypt sensitive data on your critical systems and demands a ransom to make the data available again
Key staff are unavailable to perform essential tasks
A key member of staff leaves your business (either through illness or exiting to another role) without passing on the knowledge of how to perform critical tasks
Brand & Reputation
Often not considered by technology teams, brand and reputation threats are some of the most damaging to a business. Establishing trust with customers takes time and effort, and these types of threats can destroy that trust overnight.
A ‘hacktivist’ group of technologists who disagree with you doing business with one of one of your major clients replaces your homepage with political slogans
A disgruntled former employee with access to your company Twitter account starts tweeting libelous accusations at executives.
Data breaches are malicious leaks of data from your organisation. These are typically very public, and therefore very damaging. Data breaches can go undiscovered (or unreported) for a significant amount of time, as the bad actors responsible for the breach continue to access and extract the data. The most damaging part of the breach for your organisation is most often the reputational impact of the breach.
A massive leak of customer data
You are targeted by a foreign organised crime group with the ambition of using your data for further criminal activities. After accessing your systems and copying your customer data, they use this to commit identity fraud at large scale. After several months, they begin to sell this information to other groups, at which point it is publicly posted online (long after the initial breach).
A slow drip of value from the organisation, this type of threat is often not malicious but rather enabled by poor control of company data. For instance, many staff believe that they can take some information with them after they leave the business. Whether this is only some sales contacts from a CRM, or the Colonel’s recipe for secret spices, intellectual property theft from the organisation is common and often poorly controlled.
External services with insecure passwords (Shadow IT)
Members of your marketing team sign up for their own services, creating an account on a popular marketing tool without the knowledge of tech administrators. They create the account with their shared email address, ‘email@example.com’ and the password ‘password’, and then share this with other users in the company. Within a few days this account is hijacked by an automated ‘bot’ that looks for poorly secured accounts on popular services.
Ex-employees with access to systems
Employees continue to access their online HR system, despite having left the company months before. They are able to see details about themselves, their manager and the company structure.
Social Engineering / Phishing
Staff in the finance team receive an email from the CEO, resulting in a large payment being made to a supplier. The email contains details of a new bank account, which happens to belong to a hacker. The CEO, of course, didn’t send the email.
How to stay secure — a playbook for technical leaders in small businesses.
Information Security risk should be based on sound enterprise risk management (ERM)
The eight risk management principles listed in the ISO 31000 guidelines are sensible, easy to understand and make a great background to consider your approach to enterprise risk. They are:
- The framework and processes should be customised and proportionate.
- Appropriate and timely involvement of stakeholders is necessary.
- A structured and comprehensive approach is required.
- Risk management is an integral part of all organisational activities.
- Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management is continually improved through learning and experience.
The first five principles are concerned with the design and planning of risk management, often summarised as proportionate, aligned, comprehensive, embedded and dynamic (PACED). Each of these principles applies seamlessly to information security risk management.
It all gets a bit technical after this point, so feel free to skip to the end if you’ve got someone technical to take care of the details for you…
Playbook — Managing Your Partners and Suppliers
This section lists a number of high level controls to help control your supply chain, and is aimed at technical administrators. It isn’t meant as a full set of security controls and you should reach out to security professionals when creating your own standards if you are at all unsure.
Establishing your controls
- Decide on a framework for managing risk. Where possible, you should look to take an existing standard and modify it to fit your business, rather than creating your own from scratch. For example, look at ISO 31000 for overall risk management, or OCTAVE Allegro for cyber risk.
- Gather a list of all your current suppliers and partners. This can range from companies providing staff and support to your business (like outsourced software development or contractors) to pure services providers, like Salesforce, Microsoft or Amazon Web Services.
- Categorise the types of risk suppliers may fall into — this can follow standard enterprise risk standards (eg an Impact/Likelihood matrix) which will establish a priority of high and low risk suppliers
- Document necessary actions for each supplier category, for instance:
- All suppliers: contracts and owners documented
- Low risk: self-assessment risk questionnaire
- High risk: on-site audit
- Critical risk: full incognito red-team assessment
- Establish a supplier register, ensure that a process exists to add new suppliers to it, and schedule a quarterly review of the register in a shared calendar.
Before engaging a supplier
- Use Google VSAQ or an equivalent Vendor Security Assessment Questionnaires to establish and record baseline compliance and security
- Take references. Depending on risk levels this can be in person/on-premise
- Establish an Information Security Management System (ISMS) following ISO27001 standards. This system is the processes and controls. You can additionally automate the ISMS with a product like Eramba
- Consider suppliers against a risk profile: identify risks, analyse risks and evaluate risks that may be encountered with this supplier. If you’re unsure how to evaluate the risk, Investors in Risk management have released a useful practical guide.
- Ensure internal controls are agreed to balance the selection of a supplier.
- Establish a digital chain of custody for data that may flow between organisations. How can data be controlled and verified as accurate? What steps need to be made before allowing access to data to a third party (eg anonymisation).
During a supplier relationship
- Schedule reviews of supplier engagement points and controls
- Clearly enforce change management with suppliers — make sure that changes cannot be made by simply sending an email. Secure tools with clear logging of workflow must be used for change approval. No approval should ever be granted or accepted via email or non-official medium (eg Whatsapp, Slack).
- Prevent suppliers from accessing production systems wherever possible
- Enforce time limited / break glass access where necessary to administrator privilege levels
- Ensure Role Based Access Control (RBAC) and the rule of least privilege are enforced when giving access to supplier accounts.
- Ensure that RBAC and the rule of least privilege are enforced by your supplier with their own staff (and suppliers) and ask for evidence of how this is maintained.
- Establish secure, easy to use lines of communication between yourself and the supplier. Email should not be used for approvals or information sharing. Secure transmission of shared information (eg via Sharepoint Online) should be preferred to plain text communication which can be shared.
- Never allow shared privileged accounts (eg ‘admin’ or ‘root’). Always ensure that employees log in to systems with unique and identifiable accounts. Ensure that suppliers follow this policy and are able to demonstrate through logs for audit purposes.
Outsourcing in Regulated Industries
Regulated Industries, like finance and healthcare, have their own requirements. For example in Europe the banking regulations were updated in 2018 with additional calls for guidance on outsourcing (more here). MiFID II is the specific set of guidelines which European financial institutions need to follow if they require regulation.
As an example, starting a challenger bank in Europe faces many of the same challenges that any other well funded startup does, but with potentially greater impacts from insufficient security controls. The regulations are therefore a consequence of this greater risk profile.
Fortunately, much of the same guidance applies in highly regulated industries as elsewhere, with a simple requirement that this is better documented and evident than in more loosely regulated industries.
Typically, guidance requires that:
- there is effective day-to-day management in the organisation
- there is effective oversight of the supplier from the organisaton
- there is a sound outsourcing policy and outsourcing processes
- the organisation has an effective control framework which extends to their outsourced functions
- there is a good risk management framework inside the organisation: all the risks associated with outsourcing important functions are identified, assessed, monitored, managed, reported and mitigated appropriately
- there are appropriate plans for exit from important outsourcing arrangements
- competent authorities remain able to effectively supervise institutions and payment institutions, including outsourced functions
- Outsourcing to service providers in countries with different regulatory controls must be subject to additional safeguards
Outsourcing in ISO 27001
For most business we work with, we recommend a path of compliance which starts with the UK government’s Cyber Essentials scheme, and progresses towards the ISO 27001 information security management standard. This standard is extremely useful when selling to large enterprise customers to demonstrate a mature approach to information security, and contains most of the recommendations in this article.
ISO 27001 also defines five controls for Supplier Relationships. Based on these control, third party compliance can be checked in 5 steps:
- an information security policy for suppliers exists that addresses the controls to be implemented which mitigate risks associated with the vendor.
- the supplier has signed a contractual agreement which clearly establishes the details of the relationship and expectations of both parties
- requirements exist to address information security risks (eg monitoring, change approval, data sharing).
- suppliers are monitored, reviewed and audited regularly.
- the supplier relationship receives constant attention, with regular updates, feedback and audit where appropriate.
Playbook — Managing risk in the cloud
Most small businesses use the cloud extensively. This section represents some high level controls which can be implemented in a business of any size when considering how to secure a cloud environment.
- Always follow good cloud design principles like AWS Well-Architected or the Azure Application Architecture Guide. Don’t be tempted to do your own thing unless you’re well funded and REALLY know what you’re doing.
- Use the … tongue twisting… Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a baseline for security controls. This matrix is a superset of many popular security and compliance standards (like ISO27001, HIIPA, MIFIDII etc), and has a very throrough set of controls that extends across the organisation.
- Never trust, always verify; the cloud lends itself well to highly automated controls and verifications. Wherever possible, design for zero trust and full automation.
- Automate compliance checks wherever possible (for example Inspec and SonarQube’s OWASP security plugin)
- Ensure that software defined networks and infrastructures have orchestration fully change controlled, for example using Terraform or Amazon Cloudformation
- Ensure that suppliers document and audit all software dependencies that they are critically reliant upon. Where this includes open source libraries, ensure that these are audited for vulnerabilities (eg, through static code analysis). Ask them to prove it.
- CVE and NIST Vulnerability Databases can be very useful to check for software vulnerabilities, but provide very little information on open-source vulnerabilities. Use tools like OWASP Dependency Check to audit code for vulnerabilities.
- Cloud root/admin accounts should be vaulted and only used in emergencies (if a supplier requires administrative access, determine in advance how this will be managed).
- Use Azure and AWS tools like AWS Security Hub and Azure Compliance Manager
Regardless of how much value your business creates, the internet provides an unparalleled route for that value to be destroyed. Good risk management protects the value that you create, and extends to how we manage the technology and cyber risks in our businesses.
Maintaining security is a never-ending task for businesses, but following well adopted and mature frameworks like ISO 27001, Cyber Essentials and ISO 31000 can make the process easier for your business and signal to your customers, partners and investors that you’re taking security seriously.
Huge thanks to my friend, partner CTO at Ridley Industries and co-contributor, Marcus Corner for his input into this article and cloud expertise.