TxB/5 Security is not a dirty word - even Blackadder would agree. A Ten Times Better (TxB)©️Approach.

Security is not just IT’s problem anymore – it’s a boardroom issue, a customer trust issue, and increasingly, a brand issue. It is right at the forefront of people’s minds especially with the recent examples at Marks and Spencer and Co-Op. There are several thousand cyberattacks per second across the UK.

For over 20 years, I have seen how even well-defended systems can fail. The best defence is proactive, cultural, built into, and right across, the organisation’s DNA. Here are 10 practical, battle-tested principles for building a security strategy and implementation that’s ten times better.

Remember - there are only two types of organisation:

Those that have been attacked and know it...

And those that have been attacked and don’t.

1)      Design for Openness, not Obscurity – Obscurity is not Security

a.      Counter-Intuitively, openness is the way forward – with openness there are many more people available to try to break, to test, to challenge

b.      Test, test, test – internally and externally

c.      Use AI anomaly and exception detection to try to “tear down those walls” as President Reagan might have said

2)      Secure by Design

a.      Build security and future expansion and building blocks into a system from the very beginning, rather than adding it on later. Security must be a foundational design principle

b.       An overall design principle must also be zero trust – never, ever trust and always verify – all users, all devices, all systems, through for instance multi-factor authentication, role-based permissions, and continuous monitoring

c.      An organisation is only as strong as its weakest supplier – you need to make sure that all suppliers are managing risk and security to the same level as you, and that you have appropriate multi-vendor controls in place. You should conduct regular learning lessons with them to exchange best practice

d.      KISS – keep it simple, stupid – keep the attack surface minimal - complexity brings ease of vulnerability

e.      It is generally a people problem when it all goes wrong – recognise this up front, and design checks, balances, access controls, role-based permissions, and continuous monitoring up front – recognise patterns and exceptions and act on them

f.        Perimeter access – this needs to be the fortress – the digital doors to control who and what can enter into the organisation. They need to be thick, strong, selective, access controlled and air-gapped, and constantly monitored to prevent unauthorised access

g.       Firewalls – need to be strong, but simple ( I have seen several examples where firewall design is built on and built on rather than re-designed, which then become too complex and ineffective) to control data, access, protocols, IP addresses etc

h.      Trusted entities – especially where there are multiple suppliers, perhaps on legacy infrastructure, and with insufficient controls – this is a very big and easily exploited vulnerability

3)      Live system access – Protect the Crown Jewels

a.      The basic watchword is no – do not give access to the live system – again, this may feel counterintuitive, but each time access is given, this will increase the risk of breach

b.      Restrict access of live systems to a very, very few trusted and privileged personnel, and even here – no-one should be allowed to access the system on their own, without an independent checker and verifier – the “four eyes principle”. All such access must be double-checked and verified and fully logged. In addition, an alert should be sent to a manager one level above the independent checker and ideally also verified – so much grief would be saved by this simple procedure

c.      Separate and ideally encrypted data

4)      Challenge – Basic Assumption is you have already been breached – what are you going to do about it

a.      Test and verify – think like an attacker

b.      Attackers don’t follow org charts or working hours. As Battlefield Cyber (McLaughlin and Holstein) makes clear, today's threats are often geopolitical, patient, and deeply resourced. Testing your defences like a real adversary would — through penetration tests, hackathons, and red teaming — is the only way to prepare

c.      Penetration testing regime needs to be in place and undertaken on an agreed regular basis, without exception

d.      Regular security assessments need to be undertaken, augmented by an independent team

e.      Get people to try to break in – proper invasive testing – you need people who delight in breaking stuff – eg Hackathons

f.        Peer Group design challenge – get people from elsewhere in the organisation to test the designs, run table-top exercises, ensure that learning lessons have been implemented in the core design, and overall to make sure that corporate or regulatory policies are implemented

g.       Encourage red teams (the “hackers”) and blue teams (the “defenders”) to try to break into systems and then encourage shared learning and implementation

5)      System currency

a.      Patching – make sure that patching is current and has been applied across all operating and application systems, firmware, software, infrastructure and security tools for internal systems and also for external connected systems – this is one of the best ways to reduce cyber risk – if you don’t patch, or if you run old versions you are basically inviting an attacker on to your estate

b.      Asset management and inventory controls need to be in place across your systems and kept current – especially make sure that all live/production, testing, development, disaster recovery and other sand boxes are kept current and do not allow back door access

6)      Contain and Control

a.      Early warning systems – studying several cyber attacks shows that they can come in waves – with an early small-scale attack almost being like a reconnaissance mission to fully detect vulnerabilities, followed by a large scale and widespread attack following this intelligence gathering mission

b.      Use horizontal containment – to prevent cascading by segmenting systems and isolation areas of operation – eg retail systems from HR systems from finance systems

c.      Consider “kill switches” and quarantine zones – a kill switch may not be elegant but it buys you time and immediately shuts down compromised systems and prevents further contagion and spread

d.      Separation of systems and data – eg: live, test, development, DR, sand box – you must treat them as separate systems and not allow propagation of an issue from one to the other

e.      Role based access controls – specific for the actual programme in hand, time-based, reviewed and also performance reviewed – if someone breaches the protocols of access, then their trust should be questioned and role-based privileges should be removed pending corrective training and action

f.        Passwords and Multi-Factor Authentication – only suitable passwords and complexity should be allowed and they should be regularly updated. Access to systems and services should in addition be via multi-factor authentication

g.       Pay particular attention to personal data including the words eg: “confidential”, “passport”, “national insurance number” etc – these are really easy search terms to create attack vectors

7)      Manage Change – It’s where many breaches start

a.      Implement robust and governed change control with incremental go/no-go decision points, which should be peer reviewed as a minimum, and with tested rollback processes and points in place

b.      To re-emphasise, it is critical that live system access controls are maintained during any change implementation – people are generally tired, under pressure and time constrained – the possibility of somebody making a mistake, often acting in good faith to progress a project or programme, is raised significantly during change

c.      Test all points before and after the change – across the systems but especially in live/production

8)      Declare early/Act Fast

a.      Don’t say everything is ok when it isn’t – this allows any attack vector to become embedded often in a geometric progression meaning that any corrective action will become more and more complex and costly with time

b.      Panic early – it’s actually ok to panic and raise the alarm – it is often better to have raised a false alarm, than suffer an attack and regret that you did not act

c.      Get the experts in – there are many experts out there who have been through this before, and have explicit and comprehensive knowledge of your system infrastructure and software components, plus current best practice on attack vectors – they will significantly enhance your response and limit any damage

9)      Learning Lessons

a.      Implement them – don’t put them on the shelf. eg: The British Library’s public review of its cyberattack (2024) shows how institutions can face hard truths, adapt, and share lessons for the greater good. It’s worth a read. bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/

b.      Use every near miss as a positive approach to learn how to prevent – think like an airline pilot

c.      Track implementation of lessons via audit logs or a security board

d.      Embed learning into playbooks, not just post-mortems

10)  Training and Communication

a.      Regular training – most start with humans – make your people your strongest defence - What is security? Why is it important?

b.      You must raise awareness of phishing, spearing, scamming, flattery etc and conduct regular simulations and training courses designed to make people think

c.      Have a response plan in place including people, process, comms, DR/BC – it needs to be run like clockwork

d.      Ransomware awareness and a response plan needs to be in place

Finally

Cyber isn’t a department - it’s a mindset for everybody.

It is not just about compliance anymore; it’s about resilience. Leaders need to shift from “let’s hope” to “let’s test.” From “IT will handle it” to “what’s our role in defence?” Because the threats are growing - and in many cases, are already inside the organisation.

👉 I'd love to hear what others are doing to stay ahead. What’s your top cyber tip that actually works?

#cybersecurity #TxB #transformation #AI #risk #leadership #governance #CISO #CIO #boards #digitaltrust #BritishLibrary