Cyber security is a topic on every organisation’s radar. The continued threat of ever evolving cyber-attacks, combined with the introduction of GDPR compliance means that there are serious businesses implications to successful attacks and the loss of data to any company.
It is not the case of if you are going to be attacked, but when. Any business should be well prepared for this and have processes in place to mitigate the risk of attack and reduce the chance of success.
But what can a business do to best protect itself?
Planning and budgeting for cyber security
Firstly, to best manage cyber security in any business, we recommend that a yearly budget is set to plan investment for cyber protection, cost effectively. This is not a quick fix and a continual approach should be taken to best protect the organisation. The business needs to have a budget that reflects this. The continual management of risk involves 5 key stages:
At each of these stages, there are processes and actions that you can put in place to help protect your organisation and deliver cyber security risk management within your business.
The first and very important stage is PREPARE. This is where a business needs to identify its current position, its security objectives and identify a strategy and plan for moving forward. Aspects to be considered here include:
- Cyber security frameworks such as ISO 27001, NIST and Cyber Essentials
- If you manage payments, you should also consider the framework, PCI DSS
- The requirements for GDPR compliance
- Data discovery
- Business Continuity Planning
- What training your employees may need?
The second stage is PROTECT and this is the phase to implement processes and services that improve the protection of your business and remediate any issues identified at the prepare stage. For example, implementing a cyber security framework is a key component to help protect your business.
The third stage is ASSURE which is the checking and testing of your security. With threats continually evolving it is important to regularly monitor your security and remediate any gaps. The process for most cyber security frameworks is to carry out annual audits to ensure protection. Even if you don’t have a cyber security framework in place, it is a good idea to engage an independent annual security audit to provide assurance that your business risk is continually managed.
The fourth stage is DETECT which is where you engage in activities to test the risk of illicit people penetrating your business. As well as security audits, data discover, social engineering and penetration testing, any organisation should also consider physical breaches as well. Are you aware of the latest types of attacks and tools that criminals are using or do you want to use a threat and vulnerability management service to keep your organisation on top of this? What about engaging a supplier to provide you with a service to monitor, assess and defend you from attacks? This is known as a SOC (Security Operations Centre) and engaging a supplier to deliver this can be a cost effective way to achieve this service, cost effectively.
The final stage of the lifecycle is the RESPOND stage. As we said before, you should be running the security of your organisation as if it is preparing for an attack, not loosely in case you are attacked. Any business should have processes in place (and the ICO would want to see proof of this if you do have to report a breach as part of your GDPR compliance) to be able to best respond to a breach to minimise the impact and downtime of the business.
- How do you respond to an incident?
- How does your business recover from a breach?
- How regularly do you train and induct new staff to your security processes and procedures?
- What is the process in place after a breach to evaluate and improve your protection and reduce your risk?
This then feeds back into the prepare stage of the continual lifecycle of cyber security risk management.
There is much to consider here, but we wanted to provide you with a complete high-level overview of what you should be considering for your business. By being proactive rather than reactive to cyber security, any organisation can best manage budgets and change to minimise the impact to the day to day operations of the business whilst building protection. Many customers are looking to suppliers with strong security protection in place before engaging them, so there is also a strong business case for implementing change to your organisation.