Cyber security and risk management
Updated 21st February 2019
Getting to grips with the basics
In an age of data breaches and privacy concerns, cyber security has rapidly moved to the frontline of the fight against business risk. You and your employees are handling and storing increasing amounts of sensitive data on a daily basis. It’s your duty to customers, suppliers, the public, and your own business, to keep that data safe and secure.
Unfortunately, cybercriminals are a cunning lot, with ever-evolving tactics to break through your defences and get at your most valuable files. For your customers and network to be confident that they can trust you with their personal information, a comprehensive risk management strategy and some solid cyber security are essential.
We’ll go through the basics here:
Your risk management strategy should be at the core of all your cyber security protocol. So let’s start with what that should entail.
What’s important to your organisation?
Getting cyber security and risk management right is much easier if you know your organisation inside out. The first step is to think about processes and information that are crucial for your operation. What would happen if you lost control of a certain resource? Could you function until the issue was solved, or would you have to suspend operations? Understanding what’s most important to you (and why) will let you prioritise effectively what you need to protect.
Consider worst-case scenarios
In the risk-management business, it always pays to think bleak. Running through worst-case scenarios in which crucial systems are compromised, will enable you to spot and strengthen weak points. Working backwards from hypothetical disasters will help you to understand the many ways in which problems can arise. It will also let you prioritise and take measures against the most likely scenarios.
Understand that you can’t be totally risk-free
There’s no such thing as a totally risk-free business. Disastrous thinking can really help you to manage risk – but do keep it realistic. There’s no need to stress yourself out by trying to eliminate every tiny little element of risk. Prioritise.
See the bigger picture
Cyber security is important, for sure, but sometimes its benefits need to be balanced against your wider brand and business operations. For example, asking your subscribers to re-enter their password every few clicks will certainly enhance your cyber security. But it will also frustrate your subscribers and have a drastic impact on your user experience. So, think holistically when considering the threats you face.
Get the facts right
Given how few people understand the complexities of coding and data science, cybercriminals have acquired a semi-mythical status. Hence, there are a lot of unsubstantiated myths about cyber security floating around. For example, you’ve probably heard a lot of doom-mongering about how risky cloud storage is, (this myth is so prevalent that many organisations are investing in heavy duty hardware for data and doc storage). When in fact, the Cloud has security software and security teams far in advance of anything most organisations can invest in themselves. So, do as much research as you can, and, if you’re unsure about what is true and what is rumour, always consult an expert.
Moving on more specifically to cyber security, here are some of the key fundamentals that you should have in place:
Secure your configuration
This isn’t as complicated as it sounds. The ‘configuration’ of your network is basically how it’s set up - the controls and flow processes you’re using, including default passwords, auto-run features etc. A lot of businesses just use the default settings that their software and network controls come with, which is easy to do, and we tend to naturally trust the software companies to know what they’re doing. However, the default isn’t always what your particular setup needs. Look a bit deeper into your network configuration and, based on where your particular vulnerabilities lie, spend some time tailoring it to meet your own security needs and standards.
Check your connections
Your network connections – that’s anywhere your own systems connect to an external network, including the internet - are primary targets for attackers and viruses. These points, including your broadband router and any wireless networks, should, therefore, be a security priority. If you can’t determine a clear boundary for your network, think about where your sensitive data is stored, how it’s accessed and from where. Then heighten your cyber security measures around those areas. Think about remote workers, as well, who may be connecting to your system via mobile or VPN.
Vet privileged users
‘Zero trust’ policies are becoming increasingly common in cyber security. What a ‘zero trust’ policy means in practice is vetting everything – including those with administrator or other privileges on your network. Make sure that everyone who has enhanced access to your cyber systems is trustworthy, and that high levels of privilege are granted sparingly. It sounds harsh, but, if you implement this across the board, nobody will feel singled out.
Have fire-fighting policies
This harks back to your risk management strategy. You can’t totally risk-proof your system, so it makes sense to be as prepared as possible, in order to minimise any damage and get back on track as soon as possible after a security breach. Identify potential worst-case scenarios, and devise incident management policies and response plans to fight these fires, if and when they break out. If you buy cyber insurance through Digital Risks, a response plan is included as part of the package – just so you know.
This is pretty basic stuff, but it bears repeating. Malware infecting your system can become a bigger issue than you might expect. Keep on top of developments in anti-malware technology, and be sure to have solid, up-to-date anti-malware policies in place.
Monitor your system
As with anything, you won’t know that something’s wrong with your system if you’re not paying attention. There have been numerous high-profile cases where a hack hasn’t been noticed for months, or even years after it actually happened. System monitoring these days is a team effort involving automated software and human analysis. The more closely you are monitoring your system, the more chance you have of picking up threats before they become an issue.
Cyber security sounds scary, but it really doesn’t have to be. If you’re paying attention to the latest developments, know your system well, and have a good risk-management strategy in place, you have nothing to fear. If you’re unsure about the risks you may be facing or the ways you can reduce those risks, there are plenty of experts out there who will be delighted to advise you. Don’t be afraid to ask for help on this one – it could save you a whole lot of hassle and pain later on.
Why is cybersecurity important?
Investing in cybersecurity technology, processes and training is vital for a small business. Here's why.
25 cybersecurity resources you need to see
Here are 25 of the best cybersecurity resources out there to stay up to date with the rapidly growing area.