Where to start?
This article isn’t aiming to highlight the considerable risk cyber threats present to a modern business. That is (or should be) well known by now, and all the facts, stats, and tacit understanding of the level of threat is widely publicised. We all need to keep our businesses running and the team productive, but if a serious cyber-incident occurs there may be little left of a business to run. So, the question that rarely gets answered is where to start?
Start with a plan
What is your current status and threat level? How protected are you? This may start with some discussions with a specialist, but it can merely begin with a simple review of any data in your business. Most organisations don’t intrinsically know where their critical data sits, who has access to it, or how it presents to the world. Understanding this should be the first step in the plan.
Once you understand your current status, the next step in the plan should be a gap-analysis. Even if you have undertaken some security measures, either from recommendations externally or your own internal IT team, you need to understand what has been done, and what remains. What are your known threats, and what are the ‘unknown unknowns’?
By conducting a thorough cyber security assessment, you can evaluate existing policies, technology, and overall levels of employee awareness. An external review is always recommended, even with an internal IT presence where staff may be extremely capable network and system administrators, but often lack the in-depth security knowledge necessary to comprehend all facets of the subject matter. Additionally, and arguably equally as important, an external review removes all inherent bias that exists in current team members.
The journey
Cyber security isn’t an ‘action’ you undertake, it’s a roadmap. An ever-evolving voyage to ensuring your business is as safe and protected it can be, with the resources you have available. Now that you have an understanding of where you stand (often referred to as your ‘security posture’) and what some of the risks are, you need a map of the actions you are going to take. This needs to involve a schedule and budget. Your most considerable threats are internal, so with some time and effort and understanding, you can cover a lot of risks without a world-class enterprise-grade Jeff-Bezos-trust-fund budget. Solid policies and practices will be your strongest foundations.
It’s important to recognise your initial security review is a snapshot in time, not a safeguard against future, still unknown, threats. As technologies advance and businesses grow in every direction, new risks and threats occur. The landscape is ever changing and your roadmap must take this into account. Schedule the tasks, the check-ins, and periods of time for specific focus in key areas of the business (these should have been highlighted in your initial security assessment).
Training, Reiteration, and Review.
Now that you know your position, you understand the risks, and have planned the tasks you’re going to undertake to improve your posture comes the painful part: your staff need to be trained and consistently communicated to about the importance and relevance of their involvement in solid security practises. 34% of data breaches reported in 2018* were due to insider threats. This can be anything from careless workers to malicious employees (recently excommunicated employees!), but the biggest threat is human error. The more aware your staff are, the better protected you will be.
andersenIT is offering customers a free vulnerability and security assessment this month which will provide the insights needed in developing one’s roadmap to prioritise the tasks required to achieve a robust security posture. Please fill in your details and we will get in touch.
*The Verizon 2019 Data Breach Investigations report
