Cyber Risk: For Smart People Who Haven’t Studied Computer Science
The torrent of jargon that I.T. people use can be overwhelming. We know because we’ve experienced first hand, the glazed eye “get me out of this conversation now” look on the faces of non-technical staff across the strata of organisations.
This isn’t another article written in wiggly-amps to convince all of you that you need to dig deep to buy an expensive vendor-supplied security solution. Hopefully, this will help you start to understand what you need to know, and do, to better understand and manage cyber risk in your organisation.
- Understand what’s critical Sadly, if someone really wants to electronically break into your organisation and steal your data or be generally disruptive, with enough time and resource they will succeed. The first action for any organisation wishing to prepare for this inevitability is to identify the most important things to protect.This could be customer data, financial transaction data, continuity of service or intellectual property all of which, if stolen or disrupted, could impact on your reputation and/or prosperity. This list is not exhaustive and it will likely be a combination of these and other examples that form the priority items. Before any assessment of the risk can take place, it’s important that these priority areas are identified and ranked using the potential severity of the consequences of loss or damage.
- Hope for the best, prepare for the worst Following on from point 1, it is important that the impact on operational performance resulting from a security breach is minimised. Given the statistical probability of an attack taking place, preparing to recover from a breach is just as important as trying to prevent one. Regularly backing-up your most important data, disaster recovery exercises, and a well understood incident response policy and process are critical. Asking the question ‘what’s your role when we are hacked?’ is a good way to test your workforce’s awareness of your incident response policy and processes.
- It’s not all doom and gloom The good news is that the basics done well, monitored, and assessed regularly will prevent the majority of cyber attacks. The NCSCs 10 steps or the Australian Cyber Centre’s essential 8 give a solid introduction to the preparations that any organisation can do to protect its data without spending a small fortune. They provide a reliable baseline to help an organisation understand the minimum requirements of a coherent approach and provide a solid foundation upon which to build. In the UK, Cyber Essentials accreditation is a great starting point for any organisation.
- Don’t fire and forget Frequently evaluating your risk profile is important as the biggest risk to an organisation is not understanding the scale or range of risks. The threats posed to your business are evolving daily, the technical security that was good enough yesterday may not give adequate protection tomorrow. We provide a range of risk assessments and awareness training that will give your organisation a better understanding of what it needs to know and do in order to manage the extant cyber risk.
In summary, there are 4 key areas on which we would recommend organisation’s focus:
- Identify and prioritise what is critical to your business and ensure systems are patched and protected.
- Plan for a breach and prepare your response. Back-up often and ensure you can recover quickly.
- Complete the information assurance basics as a foundation and build your capability from that baseline. Two-factor authentication is simple to implement and effective at stopping a range of attacks.
- Regularly test your defensive security and ability to respond. Independent assessments will give you an un-biased view of your resilience to attack. Manage your risk, don’t try to remove risk simply through expensive vendor solutions.