The Cyber Security Podcast from PwC UK: How to increase cyber resilience in a heightened state of alert

26 May, 2022

Host: Abigail Wilson, Cyber Threat Intelligence Manager, PwC UK
Guest: Laura Duncan, Cyber Security Director, PwC UK
Guest:  Richard Horne, Cyber Security Chair, Risk and Quality Partner, PwC UK

Duration: 20m 37s

Listen on: iTunes Spotify

In this episode, Abigail is joined by Laura and Richard to discuss:

  • What is a heightened state of cyber alert?
  • How do you assess your vulnerability and respond to different levels of cyber alert?
  • What scenarios do you need to plan for and what actions should you prioritise?
  • How do you embed cyber resilience across your organisation and people - and how do you manage security fatigue in a prolonged heightened state of alert?

Read the transcipt

Abigail Wilson, Richard Horne and Laura Duncan

Subscribe to our cyber security podcast series

The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.

Subscribe to our podcast on:

< Back

< Back
[+] Read More

Transcript

Introduction by our host, Abigail: Welcome back to a brand new season of our Cyber Security Podcast. So far this year, we've seen a range of major events really influence what we're seeing in the cyber threat landscape, including the conflict in Ukraine, and with this, many organisations have operated at a heightened state of alert. Today, we're going to be discussing what steps you can take when the cyber threat posed to your organisation changes. I'm going to be focusing on what you can do to prepare and respond. To join us in this discussion are Richard Horne, our Cyber Security Chair here at PwC and Laura Duncan, a DIrector in our PwC Cyber Security practice.

Richard: Thank you. Abi.

Laura: Good to see you again, Abi.

Abigail: It's great to have you both back. To get stuck in my first question, I'd like to get straight to the point. What exactly does a heightened state of alert mean and how is this different from business as usual?

Richard: Yeah. It's really interesting because for years, we've become used to the idea of a physical state of alert changing, so physical security, as say the terrorist threat changes or whatever then organisations might move to the next level and that means they know what they're going to do. They're going to introduce scanners in the lobby, or they're going to do extra checking of passes as people come in through the doors and that kind of thing. And so we've had that concept in the physical world and we're now starting to realise we need something like that in the cyber world and I think there are two different levels to it. One is when you know a specific threat is highly likely to target you, and we've seen that maybe with some organisations that might be targeted directly by a nation state and that means looking at specifically how would your defences hold up against certain techniques and certain software that an attacker might use and that kind of thing. What we're in today is a place where geopolitical tensions have risen and we know that attacks may be more likely, but we don't quite know what or when, or how, or even by whom necessarily. That's the sort of concept of heightened state of alert to reflect that unpredictability of the environment we're in today. What that means is really checking everything really is, checking that you've patched, everything that needs patching, checking that your access controls are tightly defined, all the way through checking that you're logging the right kind of things that your detection processes are generally good, maybe testing your response processes, and checking your ability to recover if you had some major disaster, and that's really the theme of the alert that's come out from the National Cyber Security Centre, similar in America and other Western nations as well. It's really check yourself, check that you're in a good general state and you could cope with something unpredictable that may come across that horizon.

Abigail: Thanks Richard and just to reference the NCSC alert that was published in February of this year. I know that it didn't provide any reaction of what specific intelligence prompted this alert; but I think it's really important to remember that a variety of different factors can trigger this type of heightened state of alert and therefore, drive an organisation to operate at this level. Laura, would you like to summarise what does a heightened state of alert really mean for the C suite? I'm talking CEOs, CISOs, do you have any examples as well from working with clients to bring this to life?

Laura: Sure. Unfortunately, over the last three years, we've had several examples when we've had to heighten our state of alert for various reasons, and that can come from a situation in Ukraine all the way to the shortage in supply chain or supply chain issues causing cyber attacks to increase. For the C suite, it's really important to think about, again, as Richard mentioned, making sure you're doing those checks. Another thing to think about is also thinking about your agility and your scalability, what does that actually mean. That might mean that you need to increase your monitoring levels for example, or you might need to be more agile in the projects that you're doing as an organisation, you're building a new website. I had a client building a new website in last year and they had to put that on pause because they needed to do more security checks, they needed to let fewer and fewer changes go through into a live website because of the risks that they were taking on. It's just looking at your processes and doing those checks, but also thinking about how you can be agile and be able to shut processes off or change them, make them more restrictive and also scale up certain services that you might have so you might want to monitor things more closely than you were previously or you might want to let fewer and fewer people into your state, for example.

Abigail: Starting at the very beginning of what an organisation thinks about when they're about to make this decision. Laura, where do you start? How as an organisation, do you go about assessing your vulnerability in these types of situations?

Laura: What's really important is looking at your overall landscape and how you operate as an organisation. If you rely on your threat intelligence services, for example, threat intelligence is a great way to see changes that are going on externally to your organisation that might impact your organisation. Another example might be looking at your third party landscape and understanding what third parties might have had recent incidents or breaches or difficulties and do you work with any of those third parties. That's a huge thing. Richard, you and I've worked with several clients that have been a victim of a third party’s incident.

Richard: Yeah, that’s right and actually for those organisations, for all organisations, it's worth reviewing, how would you know if a third party who you're dependent on has had an incident, do they have the contractual responsibility to notify you, if they had an incident and it wasn't proven and it affected you, would they notify you and those kind of questions it starts to get quite knotty.

Laura: Yeah. Third party threat intelligence, another one is just knowing your own landscape. What do you know and also, what do you not know. I have yet to meet a client that monitors 100% of their landscape and knows every system they own and every single process they have, and all the applications they might have so if you think about that, you need to be confident in what you know and then also have an idea of, ‘gosh, where am I really vulnerable and should I be thinking about this and that might be a physical location you're worried about or a part of the business you're worried about, kind of other areas. That's where I would start when I'm assessing my vulnerabilities, as I would look at what is my threat intelligence telling me, what are my third parties doing and what do I know and not know about my landscape and does that cause me I guess, a little bit more angst than normal.

Abigail: From both your experiences, it'd be really great to hear about what organisations are doing to plan and prepare for such events?

Richard: Yeah, it's been really interesting. We've seen a lot of organisations where, when you ask the honest question, are you as well perhaps as you should be, do you have all of your systems fully recorded in your asset register and those kinds of things, then the honest answer is no. Most organisations, we know often we worked with have had that honest look in the mirror and said, ‘Okay, we need a bit of a sprint on this to get our patching state up to where it needs to be to make sure we've got all our systems in our asset register to think about where we could be logging more, where we could be improving our monitoring and that kind of thing.’ We've seen quite a few organisations actually divert resources from maybe development work, put some non-urgent projects on hold and move some of their IT resource into what you might call hygiene activities. Just making sure that the hygiene is right, that access controls tightly locked down, and all of those kinds of things.That's the thing we've seen most common in organisations is that diverting resources to focus on hygiene and in a sprint for a few weeks, and then the other thing that I think is really interesting some organisations are starting to think about and that is, what would the next level of alert look like? If we knew that we were likely to be targeted directly by a nation state, what will we do differently and some organisations starting to think about you may be locking down firewalls more maybe stopping macros coming through within, Microsoft documents and that kind of thing where it could be more disruptive to business processes. It's not things that they've done up to now but if they knew that they were highly likely to be targeted in the next few weeks, what are the things they could do so some organisations are thinking about that. Then the last thing is every organisation needs to be thinking anyway, due to the prevalence of ransomware around if we lost our IT, what's our business continuity plan, and how would we recover and if we lost our IT, how it would be confident we have backups in place that we could recover from, and how would we keep doing business whilst we rebuilt our IT.

Laura: Yeah, I mean, Richard and I have both had several experiences with that. I've seen people, they got out the whiteboards, because they couldn't get online and they had to get out the whiteboards and direct people here's where you go to get your laptop rebuilt and you have to think about things like that. Another one was, I didn't print off my business continuity plan, and so when Windows went down, and I had no access to anything and active directory or any file shares, we had no clue what to do. We had a great plan, but we just didn't have it at our hands. Like little things like that, really thinking through what that scenario might look like and as Richard said, being agile, being able to start some processes, stop others in order to get the hygiene up to scruff would be really prudent.

Abigail: It sounds like there's a real shift in the way that organisations are really thinking about business continuity and disaster recovery, especially when it comes to ransomware, it's really about the survivability of their organisation at that point, especially if they have to continue to operate as normal for a period of weeks during this stage. So we've talked about an organisation's processes, I'd like to shift the conversation a bit more and talk about the heart of every organisation, of course, is its people. It's equally if not more important to have the right culture in place, how do organisations enable their people to be in a heightened state of alert?

Laura: Obviously, everybody wants to do the right thing, at the heart of every organisation is a group of people that genuinely just want to do the right thing and have a lot more good intentions than bad intentions so I would just say that first of all. I've never gone into a situation where people have not been understanding of the need for more security. However, security fatigue is a huge thing. If we're being more stringent on the changes that you want to process because you've been working on this project for two years, and you all of a sudden can't, because security is not allowing or they want more checks that can be exhausting. Richard mentioned earlier was not being able to send macro enabled Excels in email. Finance and Legal would like, they hate that, that prevents them from doing their job well so I think that security fatigue needs to be taken into account when you're thinking about operating at this heightened state and thinking about how long you can ask an organisation to do that.

Richard: Yeah, a lot of people would say, well, many cyber attacks, they start with a human failure because someone's clicked on a link in a phishing email or opened an attachment. Whilst that's right, at the end of the day, you can't eliminate your human failure. People do stupid things, maybe I've done more than my fair share, and that's why more understanding about it but everyone's clicked on the link in email by mistake at some point and then suddenly realised they shouldn't have done that kind of thing. Organisations do need to recognise that you can't eliminate human failure, you can’t eliminate people doing something that they shouldn't so you do need the tech controls and the monitoring to be able to catch and isolate things when a human does let the side down because we all do.

Laura: Yeah, and one of the CISOs that I work closely with, she's always said, a really good security program is one that you don't necessarily know exists. Maybe not in the heightened state of alert obviously, that will bring about change, but when you have good processes that guide you through good practice security objectives, when you're doing really good development when you're making sure that you're being cautious when you reply to emails, it's when you don't know it exits that you know a security program is working really well and I really agree with that.

Abigail: Laura, as a follow up question, is there anything particular that you would just to give our listeners some practical advice, is there anything you feel that leaders should do in a time of crisis or a state of heightened alert to help their employees and enable them to continue to understand why there are an increased level of security controls?

Laura: Well, first and foremost is focusing on the people themselves and I know that when over the last few months from the beginning of 2022 until now, we've really been focusing on our teams and our people and making sure that their wellbeing is taken care of, because people know when it's a heightened state of alert, it's usually because there's danger out there, and in this case, it's virtual versus physical, as Richard was talking about at the beginning of this podcast. Taking into consideration that the mental wellbeing of people is really important, first and foremost. Then being really open and honest about what's going on and what you're doing to prevent that. Nobody wants to just be introduced to a harder work life without any sort of reason for it. Being communicative and regularly giving updates and offering a listening ear is really important.

Abigail: Yeah, that's a really great point. Wellbeing is especially important to reduce security fatigue, especially for those frontline security personnel who have been essentially fighting the fires for the last few months if they've been in a heightened state of alert for that amount of time, because we do acknowledge that sometimes an organisation can be in that phase for a long period of time and they do need to think longer term. Moving on to our next part of the discussion, I'd like to give our listeners more practical advice in addition to the points that you both have already raised. What steps can an organisation take to increase the resilience in this heightened state of alert? Richard, if I could start with you?

Richard: Yeah, we've talked a bit about the National Cyber Security Centre alert and that's got some really good advice mainly around IT hygiene, and that's got to be action item number one is really focused on your IT hygiene. The second thing is to actually rehearse a bit with some various scenarios where, what would you do if your IT didn't work tomorrow even if it's not a cyber attack, just some huge IT failure. What would you do, how would you maintain business, how would you keep vital processes going. That’s the killer question that every organisation has to face up to is, how would we continue for 4 weeks without any IT. If you can answer that, then you're in a really good place. As part of that is looking at your backups, your ability to recover from those backups and making sure that they couldn't be corrupted or deleted by an attacker as well.

Laura: For me, what's really important is to think about the financial aspects of all of this as well and think about that upfront. A CISO has a really tough job and that they're probably on a shoestring budget to begin with and they're always asking for more money, and they're unable to tackle every eventuality as Richard says, humans make mistakes and that starts a lot of the cyber incidents that we have but what will we do to respond better to that heightened state of security. A very honest discussion with your CFO, your CEO around what would it also cost to operate at a heightened state and what are the trade-offs you're going to make to continue to operate at that heightened state for a prolonged period of time. Because what we don't know about this is how long these heightened states are going to last. You want to have that real thing being the America that I am dollars and cents conversation about, how much is this going to cost or how much could this and do you want to secure some budget for that like in your business continuity plans, or something like that. Because the worst thing you want to have to do as a CISO, when you're operating in this heightened state is to start to haggle over finances and I've seen that happen time and time again, because you just don't know what it's going to cost and you want to make sure that you're optimising that money as much as possible.

Abigail: Bringing the budget in longer term thinking is a really good point, because we don't know how long organisations will have to operate in this state for. We've covered quite a lot in today's episode, and we've really done a deep dive in terms of the operational level security controls you can put in place but Laura just to loop back to your point about thinking more long term, what are organisations or what should organisations be thinking at longer term about how long they could be in a heightened state of alert for?

Richard: Yeah, that's a really interesting point because one thing we've seen, especially where you're in the current situation, organisations maybe had to exit operations from one country, or limit risk coming from another country and those questions then get down to the heart of how your IT is architected. Organisations have been able to respond in a way that is really effective is being able to make decisions quite quickly and execute decisions around cutting off an office, cutting off a territory, limiting traffic coming from a territory through one filter, so that they can really monitor it and that kind of thing. That's where a lot of modern technologies like software defined networking and using internet portals that everything goes through in order to get into an office network, so essentially always on virtual private network (VPN). They've been really effective for organisations being able to have the agility to deal with unpredicted geopolitical situations. If there's one thing we’ve all learnt is that we're in a far more uncertain world today than we realised and having an IT architecture that you can move and you can flex and making use of cloud technologies in a way that gives you that agility is really important.

Abigail: Thanks, Richard. Laura, any final thoughts to add?

Laura: Yeah, just to pick up on Richard’s point, there's a lot of innovation and technology in IT today and with that comes security innovation as well. If I could tell some of the organisations that we work with, what I hope that you would do would be to embrace innovation in this space, because you can skip a few steps now. We look at the way that security operation centres used to operate and the way now that they could operate and the value that they can provide now that we've got so much more and better technology. I want to say, make sure that you also embrace innovation as part of looking to how you could operate in a heightened state of security.

Abigail: Thanks, Laura. Definitely some key things for our listeners to consider and thank you both for joining me today. To our listeners, thanks for tuning in. I hope it was really useful discussion on how organisations can respond to a heightened state of alert. Don't forget to subscribe to our Cyber Security Podcast to help you stay ahead of the cyber trends and issues that matter, and you can check out our website at pwc.co.uk/cybersecurity. See you next time.

Contact us

Laura Duncan

Laura Duncan

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7803 455572

Follow us
Hide