It would seem that the majority of businesses are now aware that cyber security breaches are becoming more frequent, and in fact part of everyday life. Regular news and media reports often share details of data breaches, scams and hackers with big well known companies experiencing hefty fines. However it’s not just big businesses that are targeted, small businesses are at risk too, and organisations of all sizes have a core responsibility to protect personal and sensitive customer data, to have cyber resilience.
But how do you ensure cyber resilience? How do organisations know that they are doing enough to protect critical assets and to detect and react to cyber attacks?
According to Mark Oakton, Infosec Partners Security Director & Consulting CISO, building cyber security resilience entails evaluating the current situation, identifying your cyber security goals, designing strategies to achieve them, and always striving for continuous improvement.
As a strategic approach of cyber resilience is required, there are some big questions that organisations need to ask:
- Does your Leadership see cyber security as a priority?: Cybersecurity issues threaten organisations’ reputation, and as such cyber security is a core responsibility for all businesses and must be governed in any modern organisation, with CEO’s and board members ultimately accountable. Leaders need a baseline understanding of the key issues in cybersecurity and require guidance in order to take action on cybersecurity and cyber resilience strategy. According to a report shared by PwC, fewer than 40% of directors say that the board fully understands the cyber risks facing the business or that the board has sufficient expertise in cyber security. Does the leadership team really understand what’s at stake for your organisation? Is there a CISO on the board? Is cyber security a priority in your business? Cyber resilience needs to come from the top down and reach across the whole business, it’s not just ‘another job’ for the IT team, cyber security needs to be high on the agenda, and ideally have a place at the board room table.
- Does your company culture value cyber resilience?: Does your business have the right mindset? Cyber security strategy needs to run through all of the business and be closely aligned with business and staff objectives. All staff must understand that it’s critical to protect customers’ data and the company’s digital assets and operations. Do you regularly raise the awareness of cyber security with employees? Is cyber security part of your employee’s objective and competency framework? How do you keep staff up to date with emerging cyber risks? Do all team members understand the consequences of breaches, and what to do in the event of a breach?
- Is your organisation embracing emerging technologies?: Does your organisation understand the impact and risk of emerging technologies? As digital connectivity and IoT continues to be rapidly embraced, the increase in connected devices, smart technologies and cloud applications has been profound. As a result, the cyber landscape has shifted dramatically in the last few years and the pace of change will continue to gather speed as both businesses and consumers realise the potential and opportunities of digital transformation. With this brings new challenges. It can be hard to keep up with what this means for cyber security, especially as attackers always seem to be one step ahead. With any digital development, businesses must fully consider cyber security as an integral part of the solution and mitigate gaps in the governance of these technologies.
- Is there a clear view of your organisation’s external ecosystem?: All players in your ecosystem need to fulfil their cyber security obligations. Do you have a clear picture of the cyber security risks posed by all of your suppliers and partners in your ecosystem? How seriously do your suppliers and partners take cyber security risks? They are an extension of your business, and so must also embrace cyber security as a core business value.
- How is your organisation measuring strategies and success?: With a deluge of data readily available within organisations, understanding the most important things to measure can be daunting. What are your cyber KPIs across the business, not just within the IT department? How will you assess your cyber strategies? Do you have the right information readily available to measure your cyber risks? How can you measure improvement? How do you ensure your business isn’t cyber complacent?
- Have you undertaken scenario planning for the inevitable?: Many businesses are well-versed in having a tried and tested disaster recovery plan in place, but do you have a cyber incident response plan in place? PwC reported that only 15% of CEO’s strongly agree that their company can withstand cyber attacks and recover quickly. Unfortunately it is inevitable that your business will suffer cyber attacks, and so you need a rehearsed plan in place to mitigate the risks for when it does happen.
- Is your business 100% cyber compliant?: Regulators are getting more serious about organisations that don’t properly protect consumer data, with hefty fines, that can run into the millions, you can’t afford to ignore your legal responsibilities. Do your controls meet all the legal and privacy compliance requirements? Are you fully compliant with everything that you need to be?
- Does your organisation allocate appropriate budget and resources?: Driving a cultural change, recruiting staff with cyber expertise, raising staff awareness, employing MSSP support, implementing the right monitoring tools, keeping all of your infrastructure, processes and data secure.. It’s a big task. And it needs a big budget right? Well maybe, but when you consider the average cost of a data breach in 2020 was about £2.9 million (Ponemon Institute’s Cost of a Data Breach Report 2020), can you afford not to invest in your cyber resilience?
- Is your organisation sourcing the right expertise to fill the gaps?: Cyber criminals don’t stop play at weekends or over bank holidays, in fact they ramp up their game at times when businesses are distracted, the global pandemic showed us that. So it’s important you get the right support in place to ensure your business is cyber resilient at all times. This is where Managed Security Service Providers (MSSP) come into play. With specialised security analysts whose key purpose is the security of your systems, staff, data, and critical assets, they more often than not have expertise and skills over and above your internal teams. Security is their business, so it can pay to call in their experts, especially to ensure you are spending your budget on the right areas.
- How confident are you in your organisation’s cyber resilience?: How confident are you in your organisation’s ability to protect their digital assets and sensitive data? Do you truly believe that your business is doing everything it can to be cyber secure? Be honest with yourself, if you don’t know, then it’s time to put more of a focus on finding out.
If you need help in asking the right questions, and getting the right answers, get in touch with the team here at Infosec Partners.