There are ever
increasing threats to business in cyberspace. DDOS, Ransomware and Phishing to
name but a few. There are some proactive steps you can take as a business to
help mitigate against these threats:
1.
System Hygiene
Everything starts with a proactive and managed approach to keeping
computer systems clean and secure. Having software monitoring desktop machines
for intrusions, making sure that all routers and firewalls are configured
correctly and running the latest operating systems, ensuring that staff do not
plug unknown devices into their machines etc.
All of these activities if treated as routine maintenance tasks will
stop the basic low level issues from becoming major ones. It’s a small
investment in time and money that has a disproportionate effect on keeping your
business safe, and like insurance of any type, you’ll be glad you had this
approach in the long run.
2.
Planning
Plans are fundamentally useless, as soon as something goes wrong its
typical that the incident does not compare with the plan, but, the planning
process itself is a vital weapon. If the senior management team understands how
to react to a cyber-attack and has a number of documented options available in
advance, it can act quickly to stop a problem from escalating. The senior team
needs to contemplate all forms of possible attack and create a response for
each flavour of incident. Those responses should be made available to the staff
and reviewed at regular intervals.
Training key staff members on how to respond to an attack is vital.
3.
Risk Profiling
Not all cyber-attacks are created
equal. It’s a positive position to be in if a company can recognise patterns of
attack and what may have already happened and what comes next. This allows a
far greater capability to create a bespoke defence to different problems and
know when to act and where to look. Different company digital assets may
require vastly different approaches to keeping them secure, most cyber-attacks will
not be beaten by a one-size-fits-all approach. Create different risk profiles
for different attacks and have a fit for purpose response.
4.
Metrics
During a cyber-attack its most unlikely that you’re going to have the
option to work in high levels of detail. Its more fundamental that you act
quickly than act precisely. Focus on being able to be agile with your responses
using rough figures and estimates rather than precise numbers. It means that
your attacker is forced to do the same making the likelihood that the attack
will stop and it avoids your response grinding to a halt because of analysis
paralysis. Run simulations, record numbers and create ranges that you can
recognise and define what response is appropriate.
5. Risk Mitigation
Your company needs to spend time and money to mitigate the risk of a
cyber-attack. Some of these seem common sense and yet a lot of companies still
fail to ensure these are in place:
Training: Make sure all your staff understand their
role in cyber security and actively engage with them in discussions around how
the company’s protective stance can be enhanced.
Certification
& Compliance: Even if your company is not software or tech focused, make sure
that you go through the ISO9001 and ISO27001 certification. Stick to the rules
and regularly retest yourself. These standards are there to help you defend
your company and its information security.
Policy & Procedure: Write specific
processes and policies for the company to use that enable new habits within the
staff to form. Bring Your Own Device policies, rules on portable hard drives,
policies on accessing external systems and physical security mantras will all
help mitigate risks.
6.
Cyber Insurance
In the modern era it would be remiss for companies that hold personal
information or sensitive data to not have cyber insurance. These policies cover
the loss of data or information from IT systems or networks. The average cost
of a cyber-security breach is £600k - £1.15Million so typically carrying
£2.5Million of cover seems a minimum policy amount. There is some good guidance
on cyber-insurance cover available from the Association of British Insurers here.
7. Go!
Press the go button and put
everything into place. It’s often that plans around cyber-security are left
unimplemented because of the “it can’t happen to us” syndrome. If you’ve gone
to the extent of the planning, then the implementation should be easy and
straight forward. Don’t be the victim of a cyber-attack for the sake taking the
last steps of implementing your cyber-security strategy!
No comments:
Post a Comment