So now we have confirmed what we already knew, the era of digitisation is bringing unimaginable opportunities for business innovation and differentiation. The big BUT is that our traditional approach to securing IT assets needs to be transformed and be relevant for the emerging world of large scale remote working, cloud based applications and massive increases in connected devices.
Our starting point in addressing the new cyber security approach must be policy based. It is vital to have a policy that is agreed at Executive level. The policy needs to identify the risks to the business of compromised information systems which could result in severe financial loss and reputational damage. The importance of securing these systems and the roles and responsibilities of everyone in the organisation needs to be clearly communicated. Having an effective policy is also a necessary step not just for good governance but also an important step on the journey to meeting statutory requirements such as PCI or GDPR compliance.
The policy of necessity should look at all aspects of the day to day user access, processing and storage of information, identify the risks for each component and identify the controls that are necessary to mitigate that risk. In a previous blog we identified some of these key controls which include;
- Education and Awareness: train users to adopt a security conscious culture
- Securing Configurations: to protect systems from vulnerabilities
- Secure Network Connectivity: follow industry best practices and design approaches
- Managing User Privileges: ensure users do not have unnecessary privileges that can be exploited
- Effective Incident Management: reduce the impact of a cyber breach and aid speedy resolution
- Malware Prevention: ensure good anti-malware practices are implemented to prevent infection
- Systems Monitoring: detect how systems are used and if they have been attacked
- Remote working: ensure that an effective secure remote policy and controls are in place