Elizabeth Giugno, head of category - cyber security at Crown Commercial Service (CCS), outlines five key steps to building cyber resilience and strengthening your cyber procurement
Local and central government bodies have seen a significant increase in cyber attacks since the beginning of the pandemic. This is due to the move to home working on unsecure networks and opportunistic cyber criminals using this to their advantage.
The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security incidents. The NCSC’s fourth annual review in November 2020 revealed that 723 incidents had been handled between 1 September 2019 and 31 August 2020, an increase from the average of 602 incidents annually in the previous three years.
These attacks are predominantly ransomware attacks where cyber criminals use malicious software to block access to computer systems and threaten to release the organisation’s sensitive data, unless the ransom is paid.
A cyber attack is hugely detrimental as it can cause loss of data and reputational damage, as well as the cost of recovery to the organisation and emotional toll on the workforce. Supply chains are also now being targeted by hostile states and cyber criminals which makes it increasingly difficult for organisations to mitigate and manage risk.
For government bodies, cyber security isn’t only a challenge - it’s an obstacle to digital transformation. The stakes are sky high: hacking public sector information might imperil national security as well as citizens’ trust.
Government attacks are calculated. They’re resourceful. Criminals that target the government’s data, networks and systems are often politically motivated and looking to steal specific information. In the most extreme cases, these people are state-funded, giving them the time and money they need to ensure their efforts are successful.
Five steps to building resilience to cyber attacks and reducing disruption
Building cyber resilience is about strengthening cyber security to increase confidence and ensure that in the event of an attack, not only can organisations continue to operate, but that they will recover quickly. Resilience means continuous, uninterrupted access to data whilst remaining secure and protected.
As threats continue to increase in frequency and sophistication, so must our preventative measures which should include:
1. Understanding critical assets
The first step to building resilience is having a strong understanding of the organisation's critical assets. These are resources that are fundamental to maintaining operations and achieving the organisation's mission. Ask yourself: if an attack happened today, what impact would it have, and what are your critical assets?
A public sector organisation’s critical assets are often the data it holds, so you also need to know how this will be protected from an attack. Managing back-ups are an essential part of this process - rapid recovery is dependent on how regularly these back-ups are carried out.
2. Developing an incident response plan
A thorough and detailed incident response plan is crucial to resilience as this will ensure that your organisation can recover quickly from any attack.
An incident response plan collects together the coordinating functions which guide, inform and support the whole response process. It encompasses a number of aspects, including triaging and categorising of an incident through to escalation procedures and core response.
3. Educating employees and creating a strong cyber security culture
Phishing emails, which dupe staff into opening them and exposing the organisation to phishing attacks, have become more frequent and sophisticated during the pandemic. This shows the importance of creating a strong cyber security culture.
It is essential that employees understand cyber threats, the potential risk, and their role in mitigating incidents. Educating your employees, increasing awareness and providing strong governance and training can all assist in building cyber resilience.
4. Keeping up to date with emerging cyber threats
New advanced threats are being discovered daily. Resilience is also the detection of threats and increasing both your understanding of the threat landscape and threat intelligence. Taking a proactive approach to cyber security is essential in ensuring that organisations are aware of threats to allow for methods to be adjusted before they affect services.
As threats continue to increase in frequency and sophistication, so must our knowledge and preventative measures.
5. Developing a business continuity disaster recovery plan
All organisations should have sufficient business continuity disaster recovery (BCDR) methods in place to make sure that you can resume normal operations in the event of an attack. It should include a complete approach to keeping your team productive during planned or unplanned disruptions such as a cyber attack.
The BCDR plan builds resilience by reducing the risk of data loss and enhancing operations, detailing emergency contacts and key staff.
Steps to strengthening cyber defences through the procurement process
With cyber criminals targeting supply chains and recent attacks such as Solar Winds, procurement can be an increasing concern for the public sector.
Criminals often target the weakest link within supply chains. It is imperative therefore that the procurement process mitigates these risks.
CCS worked in partnership with the NCSC to develop the Cyber Security Services 3 dynamic purchasing system (DPS). It provides a central route to buy NCSC assured services to help you manage and improve your security function.
The DPS allows you to filter for NCSC assured services, choosing the services and supplier accreditations you need. You can also access suppliers who are not NCSC assured and hold alternative cyber security credentials.
NCSC assured suppliers are recommended for organisations forming part of the UK’s critical national infrastructure, the reason being that by using services offered by NCSC assured suppliers, you can be confident that they meet the National Technical Authority’s standard for high quality.
The NCSC offers assurance for a range of services including consultancy, incident response and penetration testing.
The advantages to using NCSC assured suppliers in managing supply chain risk are that they will have:
- met the NCSC’s standards and can be trusted to act in NCSC’s name;
- a proven track record in delivering high quality consultancy services;
- a defined process for working with customers to understand their needs and tailor advice accordingly;
- demonstrated a clear understanding of current and potential cyber threats and techniques and potential effective mitigations;
- been independently and rigorously assessed;
- shown that they act with integrity objectivity and proportionality;
- protect the customer’s confidentiality and integrity and comply with relevant laws and regulations;
- a commitment to continuously improve the services offered to meet the evolving needs of customers.
One of the biggest supply chain challenges can be a supplier's understanding or competence when it comes to cyber security. Accreditation is increasingly important for the public sector in strengthening cyber defences within the procurement process. Buying through a framework such as the Cyber Security Services 3 (CSS3) DPS, ensures that your suppliers have had vetting checks such as Cyber Essentials.
Cyber Essentials is a government backed scheme that allows organisations to carry out a cyber self-assessment, and provides an understanding of the organisation’s security levels. This will mean that your supplier has taken steps to safeguard their business against cyber threats and will assist in strengthening cyber defences within your supply chain.
How do you assess the suppliers within your current supply chain?
Supply chain analysis is a service that can assist in identifying and analysing cyber risks already within your supply chain. A supplier will carry out an assessment and then build assurance activities into your supply chain management. Supply chain analysis can be procured through the Cyber Security Services 3 DPS.
Find out more: The Cyber Security Services 3 dynamic purchasing system (DPS) is the only route to market for NCSC-assured services, covering a wide range of cyber services. All suppliers have Cyber Essentials as a minimum and other accreditations can be selected using the filtering options. To learn more, visit our Cyber Security Services 3 page or contact the team