ISF: Businesses need 'cyber resiliency'

Data protection

With 100 per cent security just an unachievable dream, organisations must embed cyber resiliency within their organisation, the Information Security Forum (ISF) urged today.

In doing so, companies need to look at how to prepare for the unforeseen, alongside integrating strategies for information sharing in post-breach scenarios, the ISF said.

"There is going to be a range of attacks you can't protect yourself from," said ISF chief executive Michael de Crespigny during a press briefing this morning. "We've concluded the real issue is to create cyber resiliency.

Security as a concept isn't owned by IT

"It's not about more control, not about more cost, it is about anticipation of unpredictability."

It is hugely difficult to predict how the threat landscape will evolve in the future, de Crespigny added, pointing to Anonymous' tactic of recruiting unwitting Twitter users into a distributed denial of service (DDoS) attack last week by simply posting links.

The hacktivist group embedded JavaScript into specially-crafted sites, which would have visitors repeatedly attempt to access a targeted website, thereby including them in a DDoS attack.

Essential collaboration

"Organisations must embrace uncertainty and develop resiliency. It's essential to collaborate and share information," de Crespigny added. "You can't act alone."

As an example of how effective collaboration could be enacted, the ISF CEO pointed to the global coordination over dealing with the H1N1 virus otherwise known as bird flu.

"There was a lot of international collaboration, huge amounts of communication," he added. "But if you look at Sony there were long periods where there was very little communication and delays in response time."

Sony was heavily criticised for not speedily disclosing a data breach involving its Playstation Network, which saw information on over 100 million of its customers compromised.

EMC-owned security giant RSA was also panned for not telling customers information on its SecurID product had been placed in jeopardy thanks to a hack attack.

In building resiliency, businesses need to look at who would be impacted by a breach of its network, which organisations it could cooperate with and when to disclose information, the ISF said.

This includes the need to connect functions internally, as well as externally across the business' supply chain. To support this a facilitator is required to bring together different parties, according to the ISF, which itself can act as if companies want to recruit an external body to mediate.

Despite IT being a key part of a cyber resilience strategy, they should not lead it, the ISF said. Instead, the body repeated the adage that "cyber security is a business issue."

"Security as a concept isn't owned by IT," de Crespigny said.

The ISF has released a report and tools to help companies create cyber resiliency.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.