Last month the UK Financial Authorities and CREST launched the CBEST framework, a guideline that will help financial services organisations in the UK better measure their readiness to deal with today’s cyber threats. Through incorporating threat-intelligence, testing methodologies and mitigating the risk to participating organisations via the accreditation of security professionals, this framework has the potential to really help organisations evaluate and improve their defences.
Earlier this year, research by the Economist Intelligence Unit (EIU), carried out in conjunction with Arbor, examined how prepared organisations are to deal with cyber security incidents. The survey component of that research saw responses from 360 individuals, in 19 industries from all around the world, with nearly a half of respondents representing organisations with greater than $500M revenues.
The report revealed that the top way in which participant organisations felt they could improve their preparedness was by getting a better understanding of the threats they face. Raising awareness of existing preparations across the company and testing existing preparations for an incident came in at second and third place for organisations. What is interesting is that the goals of CBEST map closely to these factors.
By using the CBEST framework financial organisations will be able to take a step forward in their security and it should also help management teams better understand the threats they face. Gaining a better understanding of the threats that are out there is becoming increasingly important, for everyone within an organisation, from board level down. The threat-space is complex, malware, APTs, DDoS attacks, insider misuse / abuse etc., all have to be considered - and having up to date information on the methodologies and infrastructure being used by cyber-criminals can help us to protect ourselves.
Because of this, selecting suppliers and integrators who have broad visibility of what is going on, research capabilities to refine collected data into useful intelligence, and the willingness to share this information with their customers is key. Threat analysis skills are in short supply, and using the broader visibility and specialist skill sets available within our partners and suppliers can be a valuable way of supporting internal resources.
Dealing with today’s threats is not just about buying products and services though, it’s also about putting the right people and processes in place. The EIU research, mentioned above, indicated that only 17 per cent of business leaders felt fully prepared for a cyber-security incident with over a third of firms having no incident response plan or team in place.
Implementing incident handling processes requires co-ordination across multiple departments within an organisation, and can even require interfaces to external teams where specialist skills are required. The successful implementation of these processes and resources requires organisations to both invest appropriately, and empower the relevant personnel to work across the business. Organisations need to understand the threat landscape at a c-suite level to ensure this happens.
Once in place incident handling plans need to be regularly reviewed and tested; however, Arbor’s World-Wide Infrastructure Security Report found that in 2013 over a half of participant organisations never tested their incident handling plans. This is a key issue, as people and technologies change and incident-handling plans must keep pace with this.
As cyber-attacks continue to grow in size, frequency and complexity everyone should be looking to develop better defences. For financial services organisations, which are key to the UK economy, the CBEST framework offers mechanisms to assess and improve security, a valuable step forward.
By Darren Anstee, Director of Solutions Architects, Arbor Networks