2016 was a year of some very well documented security breaches including Tesco Bank, Sage & Kiddicare among others. There is an air of inevitability about the next big security hack; a case of when, not if.
As we look forward to 2017, many organisations will finally get round to thinking about the implications of GDPR and, yes, Brexit does not mean that the UK can ignore this new legal framework.
In the aftermath of the TalkTalk data breach, MPs recommended appointing an officer with day-to-day responsibility for protecting computer systems from attack. Will we therefore see changes at the C-level as organisation’s look to appoint a CCSO (Chief Cyber Security Officer), perhaps even replacing the CISO?
As we are witnessing breaches occurring in organisations large and small across all sectors, as we await the introduction of major legislation (GDPR) which impacts cyber security, and as we may even see organisation’s appointing C-level cyber security personnel, are we fully aware of our Cyber readiness? What is the current state of your organisation’s cyber security? Could it be time to conduct a thorough check on the health of your cyber defences, on your contingency plans in the face of such attacks and your overall cyber risk?
So, why should you be checking on the state of your organisation’s ‘cyber health’? The following pointers are in no particular order of importance.
- You will have a clearer picture of your business and the digital assets upon which it depends. There needs to be a very clear understanding of the information held and its true value – this is fundamental to providing secure information management. Not all information can or needs to be protected to the same degree.
- You can decide on an overall risk strategy that you intend to manage. The risk strategy will include ideas such as outsourcing, the use of encryption and checking on suppliers or those with whom the organisation trades electronically.
- Include active cyber defence management as an equal stakeholder in the strategy. Cyber defence management has to be pro-active and must attempt to look forward at what might affect the organisation in the future. To date many organisations have had a reactive policy or worse a passive “wait and see” policy.
- Quantify & evaluate the business impact of data loss or business outage for your business. A clear understanding of the risks the organisation is prepared to accept will help to focus the mind on the more valuable and important information assets. A business impact assessment (BIA) is a fundamental starting point in cyber security. A good assessment will help to ensure you are spending money in the right places and with appropriate beneficial effect.
- Break your strategy into the operational risk management of lifecycles covering training, equipment, personnel, information, policy, organisation, infrastructure and logistics. All these elements must be present in the organisation throughout the lifespan of any piece of information. Each needs assessment to see what is in place and what is missing. The gaps then need to be considered and dealt with appropriately and a programme of work designed and implemented to address them.
- You can identify and assign a responsible “Champion” to each business asset and defensive strategy ensuring that their purpose is clearly business driven. Local champions who can advise, guide, answer questions, feedback issues and generally be the senior managers’ eyes and ears in the workforce is a very effective strategy.
- You will be able to map data and information flows and the security architecture will help to identify where there are issues or areas of weakness. The interconnections are often a weak point between strongholds of security. Mapping the dependencies might also highlight unexpectedly critical pieces of data that affect the most important processes in the organisation.
- Benchmark against known cyber security outcomes of how well the organisation currently performs against each of these controls and publish the findings to the risk board and Non-Executive Directors. An assessment based on a number of the best practice models available in the UK, the USA, Australia and elsewhere should provide a comprehensive report on the maturity of the controls in place whilst also identifying any gaps between the current state and best practice.
- You are able to agree plans that include the cost to remediate problems, to transfer risk to insurance, or decide what you are prepared to self-insure. Any planned improvements to security, including culture change, must be properly planned, managed, funded and delivered. This must start small time and develop – it is not possible to change the world at once so start with say checking on paper documentation, or with one department or office location, and then grow into all areas over time.
Andy Taylor, Lead Assessor, APMG International
Image source: Den Rise/Shutterstock