Cyber Security Needs A Strategy
Many organisations are great at thinking strategically when it comes to their overall business but neglect to follow the same approach when it comes to Cyber Security, instead employing tactical “solutions” – or none at all.
This is a key reason why despite having made some investment in Cyber Security, organisations frequently suffer financial loss and/or reputational damage due to hacks, ransomware or other types of malware that somehow seem to circumvent the measures they have in place.
Over the last few years, technology, and our reliance on it to run our businesses has changed significantly and continues to do so fast. That brings enormous opportunities -but also new risks. As we rely more on technology, and particularly Data, so we suffer more if that data is unavailable or compromised. Compromise to the Confidentiality of data (think Personal Data under GDPR particularly) can lead to reputational damage as well as trouble from the ICO. There are many ways in which this can happen.
Our reliance on data and technology used to be less, and it used to be more straight forward to protect, before the advent of cloud-based file sharing, tablet and mobile phone access and BYOD (Bring Your Own Device).
Like many things, you can approach Security strategically, or tactically.
An effective Cyber Security strategy needs to:
- Be based on the risks to your business
- Focused on the Confidentiality, Integrity and Availability of Data and Systems
- Consider People, Process and Technology
- Consider ALL of the copies of data
- Evolve, constantly
- Include a plan to deal with incidents and breaches
The Cyber Security of many organisations is more tactical in nature, frequently based on technical solutions only. This leads to many gaps, which not only leave them vulnerable to ever evolving Cyber Threats, but also would likely fail the test of "appropriate" measures in the event of an investigation following a Personal Data Breach (if you’re not familiar with Article 32 of GDPR, check it out).
Common reasons for this include:
- Belief that Cyber Security is just an "IT Problem" (Hint: It's a BUSINESS problem)
- IT Security that has grown "organically" over time rather than to a plan
- Focus on Technical Solutions only (ignoring key things like policies and processes, user training and business continuity planning)
- Lack of investment (Time, money, skills)
So, What Next?
If you haven't started approaching your Cyber Security strategically yet, here's a quick outline of steps:
- Understand what data you have and where
- Understand what, and who accesses it
- Consider the threats (and weakest links)
- Assess the risks and impacts to your business (and to Personal Data)
- Plan to reduce, mitigate (or accept, where appropriate), the risk accordingly
- Document those decisions
- Implement the plan, record progress, and evolve
Whether you're looking at Cyber Security because of GDPR or because your clients are asking more questions around how you secure data they share with you, or just because you've become more aware of the risks to your business, the important thing is to get started!
Start to assess where you are. If you need help just with that piece, an initial Cyber Security Assessment or audit can cover this for you.
Build a plan; start with simple steps and incorporate some quick wins to reduce your risks quickly. We'll cover some common ones in another blog. Include an Incident and Breach response plan.
Doing something is better than doing nothing. Once you get started, you'll start to build momentum, and all the time you'll be gradually reducing your risk.
If you're comfortable doing things yourselves, the NCSC and ICO (National Cyber Security Centre and Information Commissioners Office) websites are great places to start with some helpful content.
If not, why not book a 30 minute call with one of our Security Consultants to get some more detailed advice on next steps?