Cyber Security tips and best practice

CSI Talks to London About Cyber Security

BANK, LONDON – The famous silhouette of St Paul’s Cathedral is visible from the windowpanes, rising above the bustle of London’s lunchtime rush. On the upper floor, a private suite in the F1 Arcade – a destination for motorsport enthusiasts – CSI had gathered influential speakers from across the cyber security industry.

Customers and existing clients were engaged in lively talks (including gripping war stories), insights, and a panellist session that covered everything from highly relevant themes (cyber insurance and Zero Trust architecture) down to the specific technical controls that can keep businesses protected (think Multi Factor Authentication, for example).

Some of the more alarming headlines about cyber security might feel too faraway to impact your business right now. The thought of cyberwarfare, nevermore relevant than our contemporary moment, is an obvious case where cyber security issues may become more persistent. Even if as a causality of rising geopolitical tensions, a business can be impacted by the rise in breaches because of cyberwarfare. But this is one example – out of many – where cyber security should be approached cautiously and with every effort to advance a business’ line of defence.

But headlines alone are not seemingly enough to change our behaviour to cyber risk. Fear is a powerful tool, but it can just as easily blur the practical lessons that a business might want to use as fuel in their decision making around cyber security tooling. The art of storytelling, however, is accessible and empowering. From our time in London, it was an invaluable opportunity to engage an audience on their rich experiences with cyber security subjects so far.

Here are the three keystone takeaways from our London event in September 2023:

01) The Cyber Insurance Market Is ‘Hardening’

Nowadays, the most sensible security advice involves a more often holistic approach that looks at preventive controls and contingency planning for the eventuality of a breach. A breach is daunting, costly, and highly disruptive. With cybercrime as a tangible threat that everyone faces, offsetting this risk is often one of the first questions a boardroom will seek to answer. The obvious conclusion: cyber insurance.

In 2023, businesses may have noticed a shift in the cyber insurance market with lockouts or inflating premiums all impacting the reality of your risk coverage. Analysts have started to characterise the state of the market as a kind of ‘hardening’, which means brokers are increasingly hesitant to cover cyber security risks during a time when breaches are on the rise.

As businesses turn to solutions across the cyber security space, the likes of market confusion, tool abundances and a shift to software (and away from hardware), is causing a kind of paradox of choice where buying decisions are critical and urgent but more often delayed.

For a brief period, risk was transferred into cyber insurance, which quickly became an ineffective management tool for cybercrime. Whilst it is not clear to every business, cyber insurance is not the same as an effective security control. Cyber insurance will continue to be an invaluable guarantee for many businesses, especially those where contingencies will compensate for a margin of the costs of a breach. But forecasting the state of cyber security in the near future, businesses need to plan insurance and security controls as separate assets in their arsenal against ransomware and other miscellaneous cyberattacks.

02) Cyber Security Is a Discipline

A business’ everyday security capability is not, metaphorically speaking, the same as a military operation. Nor will it be built like a fortress, capable of deterring, managing, and hunting down threats with the impressive firepower of the MoD (Ministry of Defence). But your security can learn from the how the military operates.

Across a series of gripping dilemmas, Dave Woodfine, a decorated ex-Royal Air Force Senior Officer, illustrated to our audience how security is a discipline. Increasingly, security analysts are encouraging businesses to see security as greater than the sum of products they consume each year. Security is equal parts mindset, experience, and technical expertise.

In a provocative opening question, the former GCHQ adviser, Dave, hangs the audience’s attention on the startling thought, what happens when it all goes wrong? Ask any modern CISO (Chief Information Security Officer) and, even if reluctantly, they will understand how easily things can, in fact, go wrong.

War stories are often more than spectacle: they uniquely teach audiences from past experiences. In the context of a breach, a costly human error, a suspicious email intrusion, or some other security vulnerability, storytelling is a powerful resource, especially when an audience can learn from a cautionary tale. One such story, Dave recalls, involved a dedicated attack down a supply chain, weakening multiple businesses at once. This is nothing new. Since at least 2022 headlines have indicated the rise in attacks against MSPs (Managed Services Providers), where hackers are looking for the next ‘Achilles Heel’ in an enterprise.

Rich with lessons, storytelling be it from the news, peers, or specialists sharing their insights, have taught businesses that cybercriminals are getting more creative with every passing year.

03) What Does Zero Trust and a Billboard Have in Common?

The Zero Trust method, which at times feels more like a wishful security philosophy than a practical solution, is popular talking point amidst businesses right now. When our experts demystified Zero Trust Architecture, they discovered how its meaning, often too ambiguous to pin down, is causing a challenge for businesses when they want to invest in holistic security solutions.

This is where Zero Trust starts to feel as insightful as a billboard advertisement. Zero Trust has nothing to do with the waxy beachscapes and cashmere sands of escapist advertising that sells a dream from the side of the road.

Simplified, Zero Trust is a new phrase for an old technique: trust no-one, verify, repeat. When building cyber security solutions, this means using least privilege for access across your systems. If nothing else, decision makers should interrogate their security solutions to ensure that they are not led by misguiding assumptions. Even if it is a thought exercise, acknowledging how easily a breach can occur can change your organisations’ mindset about security for the better.

Is There a Cybersecurity Crisis in the UK?

A condensed history of cybercrime would reveal an alarming pattern where criminals, and the sophistication of their attacks, are increasingly effective. The ‘industry’ of cybercrime is both scalable (in the volume of attacks) and aggressively profitable, where companies are forced into costly payouts and ransoms. Business should exercise caution when strategising their plans to combat cybercrime activity.

But is the safety of the UK’s critical infrastructure at risk any more than other countries?

In 2023, the UK Parliament released a statement that captures the unique pressures of UK PLC amidst a widening threat landscape. Accordingly, the UK ranks third amongst the most attacked countries in the world right now, just behind Ukraine and the United States. Since Russia’s aggressive Ukraine campaign, all degrees of cyber-attacks (including state-sponsored and non-state actors) have become increasingly prolific. The subtext of this Parliamentary comment, tactically issued during Cyber Security Awareness Month, is that the UK’s Critical National Infrastructure (CNI) is at particular risk.

After the effective breach of the Electoral Commission, the UK’s high alert to cybercrime continues to be a priority not only for the wider public conscious, but deep into how businesses operate. By 2030, the “whole public sector” including government entities will need to improve their resilience to digital threats of all kind.

As threats rapidly evolve and scale, the UK is bracing itself for a decade of substantial change in the cyber security space. Resiliency, both in practice and theory, has the power to blunt many of today’s attacks. Proactive, comprehensive planning can even help expedite the road to recovery in the aftermath of an event. What does this mean for your business? Business continuity rests on your ability to manage disasters of all kinds, whether that’s human error or a cyberattack.

Captured in lessons learned from our security event, CSI is aware of the unique pace of change in this space. Today, cyber insurance lockouts might be the biggest inconvenience, whereas tomorrow’s challenges are likely to include artificial intelligence and the likes of ransomware innovation.

Security By Default with CSI

Whether you need a discovery session to identify your largest vulnerabilities, or your toolchain is missing an important piece, we can help. For a no-obligation chat with one of our security specialists, get in touch today.