Cyber Security - What's your strategy?
If you attended the #NorfolkGDPR conference on 13th March, 2018, thank you for attending and making this the biggest event so far for the Norfolk Chamber. It was also the biggest speaking event so far for me personally, and I really enjoyed being able to share my thoughts on the importance of Cyber Security for GDPR with everyone there, along with the great presentations from Alex, Tom and John.
You will have heard me speak about why Cyber Security is a critical part of your GDPR preparation, what the regualations say about it and the importance that the ICO place upon it. You will have also heard about the importance of having a Cyber Security strategy, based on a risk based approach focused on your individual business.
Cyber Security Strategy
So what do I mean by a Cyber Security Strategy, why is it important, and why do many organisations not have one?
Like many things, you can approach Security strategically, or tactically,
Over the last few years, IT and our reliance on it to run our businesses has changed significantly, and continues to do so - fast. That brings enormous opportunities - but also new risks. As we rely more on IT, and particularly Data, so we suffer more if that data is unavailable or compromised. Compromise to the Confidentiality of data (think Personal Data under GDPR particularly) can lead to reputational damage as well as trouble from the ICO. There are many ways in which this can happen.
Our reliance on data and IT used to be less, and it used to be more straightforward to protect, before the advent of cloud based file sharing, tablet and mobile phone access and BYOD (Bring Your Own Device).
GDPR states that organisations must implement "appropriate technical and organisational measures" to protect Personal Data. Guess what? Good Cyber Security practice requires that too - but for all your data (and the systems used to store, process and access it). But establishing what is appropriate requires a strategy, and the decisions we make need to be justifiable, and demonstrable.
Effective Cyber Security needs to:
- Be based on the risks to your business
- Focused on the Confidentiality, Integrity and Availability of Data and Systems
- Consider People, Process and Technology
- Take into account ALL of the copies of data
- Evolve, constantly
- Include a plan to deal with incidents and breaches
The Cyber Security of many organisations is more tactical in nature, frequently based on technical solutions only. This leads to many gaps, which not only leave them vulnerable to ever evolving Cyber Threats, but also would likely fail the test of "appropriate" measures in the event of an investigation following a Personal Data Breach. Common reasons for this include:
- Belief that Cyber Security is just an "IT Problem" (Hint: It's actually a BUSINESS problem)
- IT Security that has grown "organically" over time rather than to a plan
- Focus on Technical Solutions only
- Lack of investment (Time, money, skills)
So What Next?
If you haven't started approaching your Cyber Security strategically yet in preparation for GDPR or just generally, here's a quick outline of steps:
- Understand what data you have and where
- Understand what, and who accesses it
- Consider the threats (and weakest links)
- Assess the risks and impacts to your business (and to Personal Data)
- Plan to reduce, mitigate (or accept, where appropriate), the risk accordingly
- Document those decisions
- Implement the plan, record progress, and evolve
It is possible for the right IT Professional or Senior Manager to drive this kind of strategy, but often there's a gap and/or disconnect between the Business and IT - often, they have very different perspectives; after all, IT Security has always been a balancing act between security & productivity and it takes an amount of pragmatism on both sides to achieve this. Not always easy.
Enter the CISO
I came across this article today from Microsoft which outlines their recommended approach to Cyber Security strategy, which is very similar to what I've outlined above.
You'll note that this refers to a CISO - Chief Information Security Officer, who typically drives this strategy in an Enterprise Business. Many organisations smaller than enterprise level can't justify or afford a full time CISO, however the skills and experience they have can greatly increase the capability of an organisation to succeed at approaching Cyber Security strategically. More and more are considering a "Virtual" CISO or vCISO to assist on a part time basis, creating and driving the strategy, working with internal IT and/or external IT Teams and the Senior Management/Executive team, which can be a really valuable and successful option.
With the growing shortage of qualified and experienced IT security staff at all levels, outsourcing and virtual/part-time roles of this nature are likely to be a key resource going forward but can be difficult to come by, particularly in regions such as ours away from the bright lights and rich pickings of London, Manchester and the like.
At CyberScale, we're pleased to be able to provide this kind of service to our clients, to help build and implement a comprehensive Cyber Security strategy tailored to your individual business, in conjunction with your management team and IT team or IT service provider. We're also working hard on developing a range of packages jointly delivered by ourselves and local, trusted IT providers to provide a comprehensive managed Security service, again based on a tailored strategy. Watch this space.
Whether you're looking at Cyber Security because of GDPR or just because you've become more aware of the risks to your business, and whether you plan to do it yourselves, enlist a little help, or a lot of help, or whether you're not sure, the important thing is to get started.
Start to assess where you are. If you need help just with that piece, an initial Cyber Security Assessment or audit can cover this for you. Build a plan (our assessments always include this too), start with simple steps, and incorporate some quick wins to reduce your risks quickly. We'll cover some common ones in another blog. Include and Incident and Breach response plan.
Doing something is better than doing nothing. Once you get started, you'll start to build momentum, and all the time you'll be gradually reducing your risk.
If you're comfortable doing things yourselves, the NCSC and ICO (National Cyber Security Centre and Information Commissioners Office) websites are great places to start with some helpful content. If you need a little extra direction, please get in contact with us. There's no cost to you for an initial discovery consultation and just that might provide you with the clarification and confidence you need to get started with approaching Cyber Security in a more strategic fashion - an ultimately more effectivley.