A Hitch-Hacker’s Guide to the Galaxy: Episode 1

A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders

In this blog series, I will be looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.

There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations.  Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.

This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.

Each post will focus on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation.  To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.

This first post sets the scene.  View all episodes.

Episode 1: It’s dark out there. 

Understanding the threat landscape

[ Reading time: 9 minutes ]

“Cyber space is big. Really big.”, (mis)quote from Douglas Adams, The Hitchhiker’s Guide to the Galaxy

The internet, and the opportunities it provides for interconnectivity, data sharing and collaboration, has brought incalculable benefits to society, business, education and research and it is well-nigh impossible to conceive of a world without it.

There are an estimated 5.35 billion internet users worldwide, 17 billion internet-connected smart devices, and over 200 million websites.  All that connectivity carries risk as well as reward.  Any of these users, devices or websites could be involved in malicious activity which threatens your organisation.  And that’s just from the outside.

On the inside, your organisation has hundreds of staff and thousands of students, who work in an environment which is cultivated to be open and collaborative.  However, any of these could also threaten your organisation, deliberately or inadvertently, by providing a launch pad for an attack from within your network, or being compromised to provide access to an external threat actor to launch an attack.

We know that this is very real and not just a theoretical possibility.  In January 2024, there were an estimated 29 billion recorded breaches of data records, far outstripping the 8 billion recorded breaches for the whole for 2023.  In  February 2024, we saw a major DDoS (Distributed Denial of Service) attack affecting a number of UK universities, including some of our leading institutions, which resulted in loss of internet connection ranging from minutes to several hours.  In 2023, at least 2 universities suffered major cyber incidents which took months to recover from.

The Higher Education sector alone is worth £115 billion to the UK economy, so it is no surprise that it is a major target for cyber attackers.  In 2022, the UK Higher and Further Education sectors ranked ransomware and phishing as the top two cyber threats.  The time taken to recover from a ransomware incident typically ranges from 10-24 days, but full recovery of systems and data can take many months.  The average cost of recovery is estimated at over £2m, but the damage to your organisation’s reputation may be valued significantly higher than this.  You don’t want to see your organisation in the news headlines as the latest to fall victim to a major cyber attack.

Executive leaders want to know how to navigate this complex area of risk and have assurance that protection levels are being delivered.

How are we doing?

When we deliver a Cyber Security Assessment to an organisation, we are often asked “How are we faring compared to other similar organisations within the sector”.  The underlying question behind this is “What is good enough?”, which is closely followed by “How much do we have to spend to get there?”

These are challenging questions to answer for a number of reasons.

Firstly, many organisations and their IT and security teams struggle with limited budgets and personnel to deliver cyber security for their organisations.  How should you prioritise your spending to maximise your protections?  What should you tackle first to get most bang for your buck?

Secondly, for some of our larger organisations, the challenges are more focussed on building a security-first culture in an unwieldy organisation where long standing devolved responsibilities make imposing centralised security controls problematic.

Cyber security is a journey rather than a destination, and is more about developing that organisational culture rather merely spending to protect.  It provides a false sense of security to assume that you are “secure enough” because your approach to cyber security (e.g. spending, headcount, etc.) is similar to another organisation like yours.

However, we understand the desire to answer these questions and our Cyber Security Assessment supports you by helping build a roadmap to follow.

Put a number on it

The difficulty for many organisational leaders, not just in the education sector, is that cyber risk is not easily understood and is largely invisible.  Executive teams talk the language of risk, and the risk can be hard to conceptualise.  IT and security teams which are on the front line in delivering security can fall in to the trap of providing too much technical detail, which doesn’t translate well for decision makers.  After all, if everything seems to be working as normal, why are you being asked to spend so much more?  This sort of disconnect between decision-makers and implementation teams can lead to the risk not being properly assessed and treated.

Executive teams must be wary of a pattern of thinking that assumes that their own user experience of IT reflects what is going behind the scenes.  To properly understand cyber risk you have to start measuring it.

Senior and technical leaders need to work together to understand what the impact on the organisation will be if a critical incident like a ransomware attack were to occur.  What would it mean if systems were out of action for 3 weeks? Or 3 months?  What about the opportunity cost from key staff working to restore systems instead of working on new developments?  You need to put a £ sign on these answers.

What does normal look like?

Next you need to start measuring your cyber posture so that you understand what “normal” looks like.  Then you have a baseline from which to measure changes, and to understand what impact investments in your security are having.

If you can start to understand how cyber risk looks and feels, it becomes less of an unknown and you’re on the way to managing it.  Although there is no simple way, no single number, to measure cyber risk or security, there are a number of things which taken together can help.  For example:

  • How many critical or high risk vulnerabilities do we have on our systems?
  • How many unpatched or unsupported systems do we have?
  • How many inactive user accounts do we have?
  • What percentage of user accounts have multi factored authentication enabled?
  • What is our MS365 secure score?
  • If you run phishing campaigns, what are your click-through and reporting rates?

Start measuring now to get your starting baselines.   Then keep reviewing these numbers on a regular basis.  Get a feel for how quickly or easily the numbers can be managed.  Then you can set some targets to aim for.

Many executives will be familiar with the Six Sigma methodology for quality improvement in business processes.  This can be applied to cyber security just as effectively as to a manufacturing process.  “Defects” in cyber security are vulnerabilities—unpatched systems, mis-configurations, untrained staff, inactive user accounts.  As an executive team, it’s your job to determine for the organisation what level of “defects” you are prepared to tolerate.

Only then can you start to have meaningful conversations with your IT and security delivery teams about how to achieve these goals.

Treat cyber risk like flu

A helpful way to conceive of cyber risk is to view it like flu.  That means accepting that it’s an endemic problem that is part of the cost of operating in a connected digital world.  You know it will impact from time to time, and that at its worst it can be very serious.  You manage the risk through prevention, containment and recovery.

Prevention is better than cure

All too often we see organisations responding to cyber risk only after they have experienced a cyber incident, with all the pain that this entails.  Cyber security is essentially about risk management, and you should treat it the same way as the other risks to your organisation.

  • What is the value of the asset we are trying to protect?
  • What is likelihood and impact of the risk?
  • How can we manage the risk? Treat, transfer, terminate or tolerate.

I’ll explore the many facets of cyber risk management in the following episodes in the series.

A Final [Deep] Thought

In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at what it is you’re actually trying to protect.  Know thyself.

For now, you can take useful steps forward by checking out your organisation’s risk register.  Is cyber risk adequately represented there?  Have you put a monetary value on the impact of a cyber incident – for 3 weeks, and 3 months?

James Bisset is a Cyber Security Specialist at Jisc.  He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.

One reply on “A Hitch-Hacker’s Guide to the Galaxy: Episode 1”

Leave a Reply

Your email address will not be published. Required fields are marked *