teissTalk: Is your organisation cyber resilient?

On 7 March, teissTalk host Tom Langford was joined by Daniel G. Dresner, Professor of Cybersecurity, University of Manchester; Mike Yeomans Manager, Cyber Risk Quantification Service Delivery Lead, KPMG; and Sam Woodcock, Senior Director - Cloud Strategy, 11:11 Systems.

 

Views on news

 

At least 225,000 sets of OpenAI credentials were put up for sale on the dark web last year, which could potentially be used to access sensitive data sent to ChatGPT. ChatGPT accounts compromised by information stealer malware were discovered by researchers at Group-IB between January and October 2023, which shows the growing threat that organisations are facing with the corporate use of GPTs. The question is whether now criminals are also going to use the information they stole to manipulate the models and “poison” them, in which case these incidents may also be the vanguard of a new type of threat. Maybe the number of credentials stolen doesn’t make it a big incident. However, it highlights the importance of proper authentication, authorisation and due diligent procedures that the deployment of these models makes necessary. Users may also feel more relaxed about using these models and care less about the information they give away when, for example, engineering prompts. Internal AI tools can be helpful to advise employees on what they can and cannot do with GPTs. Cyber security professionals, yet again, must make sure that they strike the right balance between being toothless and “the business prevention unit” approach.

 

Measuring cyber resilience and whether insurance can play a role in it

 

Resilience in the business sector is described as absorbing the problem rather than compounding it. It will also tell whether a company has the capabilities to recover from an attack and get stolen data back. It’s important that neither the prevention nor the remediation aspect is overlooked. A distinction between business and cyber resilience must be made too, the latter calling for different strategies thanks to its specific nature and professionals shouldn’t ever forget about the human side but rather integrate employee wellbeing into their cyber strategy. In NCSC’s problem book, one of the five problems highlighted focuses on how to measure security. Like Netflix’s Simian army, companies must induce failures and anomalies to see how the organisation can cope with them. You need to check for vulnerabilities on an ongoing basis and get a good understanding of the organisation’s maximum tolerable period of disruption.

 

Cybersecurity professionals also need to establish what good looks like when they measure performance against cyber security frameworks in terms of testing, validation and visibility. One of the challenges is to interpret the data that is gleaned from security systems. Today’s requirement is to build cyber resilience into the operation of the company by design. Businesses should also be honest about their decision not to protect themselves against certain types of threats and accept the risk. However, without a robust strategy of how you recover data, your chances will be limited to paying the ransom. Recently, it has become more difficult to get a cyber insurance. So, unless you’ve demonstrated that you have the controls that you promised in place, you may not get the payout. To get the insurance, you must already have a certain level of cyber maturity.

 

Insurance shouldn’t be about transferring risk as the buck and the damage will eventually stop with the company and its reputation anyway. What businesses need to see clearly is their level of cyber maturity and whether they are confident if they are to be attacked tomorrow, they’d be able to recover from it and how performance on various metrics bears that out.

 

The panel’s advice

• Resilience is the ability to adapt fast enough before the ten count.
• A constant regime of testing, user engagement and education are key to knowing that incident response will pan out according to plan.
• Learn from “small disasters” to get more resilient. Find a framework (NIST’s CSF or NCSC) and create a 1-5 scale to see how you perform against it.
• If there is a major incident, call the insurer, as they have the expertise that can prevent you from taking the wrong steps in panic mode.
• Check if your data centre does back-up in real time or with a delay.