I’m sure you’ve heard it before… “cyber criminals, regardless of their background and motivations, are always one step ahead”, and “it’s not a case of if, but when, you may be compromised”.
There is a recognition that organisations will never be fully free from the risk of cyber attacks, but the GFSC has been proactive in its attempts to ensure local businesses are making it as hard as possible for cyber adversaries. The recent publication of the GFSC’s Cyber Security Rules and Guidelines has set out a series of requirements with which Boards of locally based, regulated companies must be able to demonstrate adherence, proportional to their business, regardless of whether their information assurance is managed internally or via an external, third party provider. Here at East Harbour we have followed, and actively contributed to, the development of these discussions and in so doing have a clear understanding of their purpose and how best to implement them.
When it comes to understanding the GFSC’s approach to introducing such guidelines, it is important to recognise that the rules go beyond a single accreditation, and as such this is not something that can simply be resolved by ticking an accreditation box. Although highly relevant, achieving information assurance and cyber security accreditations such as Cyber Essentials Plus or ISO27001 is not a full substitute and does not automatically mean an organisation would fully comply with the rules.
So, what are the GSFC rules? With five core functions – Identify, Protect, Detect, Respond & Recover – they are largely based around the NIST CSF (National Institute for Standards and Technology – Cyber Security Framework). NIST CSF was introduced in the USA under the Obama leadership, with the aim of protecting US critical infrastructure from cyber security adversaries. Since then its use and application have grown and it is now internationally recognised as the “go to” cyber security framework. Again however, following this framework alone will not solve your cyber security challenges or ensure compliance. Instead, it is necessary to combine this with other, related guidance such as CIS 20 or NIST SP800-53, to develop an appropriate cyber security defence regime which is matched against each organisation’s specific cyber security risks and offers practical, affordable and appropriate mitigation controls applied in order of priority.
It is these specific cyber security risks, and the management of them, that sets every organisation apart from one another and is the main focus of NIST CSF, and correspondingly the GFSC Cyber Security Rules. Having a clear understanding of all an organisation’s assets – people, software, hardware – and then undertaking a comprehensive risk assessment, highlighting threats and vulnerabilities, and implementing the necessary policies, procedures and controls using tried and tested cyber security methodologies should be the starting point for any organisation pursuing an appropriate cyber security posture.
And what of technology in all of this? There are countless cyber technology apps and solutions all claiming to protect businesses from cyber attacks. They no doubt all have a place and a role to play in a broader cyber security regime, but it is clear that implementing a randomly selected cyber security solution in isolation is not a panacea, and not the approach we would recommend.
This is where East Harbour can help. As an independent operator, set apart from your internal or external IT management, and with our CISSP, NIST and GDPR qualified practitioners we are ideally positioned to guide your business through the challenging and sometimes overwhelming task of identifying and implementing an appropriate and effective cyber security regime. We do not apply a pro forma tick box or one size fits all approach. We are fully aware of how fast the cyber security world is moving and just looking at the recent SolarWinds and Microsoft Exchange vulnerabilities tells us all we need to know about the escalating threats – so we consider all variables when working with clients to map out their cyber security journey.
Next time cyber security is on your Board’s agenda, why not ask to speak to one of our experts on a no charge, no commitment basis, to understand how we can help you to demonstrate your adherence with the latest GFSC guidelines, and protect your organisation from this ever increasing threat.