So now we have confirmed what we already knew, the era of digitisation is bringing unimaginable opportunities for business innovation and differentiation. The big BUT is that our traditional approach to securing IT assets needs to be transformed and be relevant for the emerging world of large scale remote working, cloud based applications and massive increases in connected devices.
Our starting point in addressing the new cyber security approach must be policy based. It is vital to have a policy that is agreed at Executive level. The policy needs to identify the risks to the business of compromised information systems which could result in severe financial loss and reputational damage. The importance of securing these systems and the roles and responsibilities of everyone in the organisation needs to be clearly communicated. Having an effective policy is also a necessary step not just for good governance but also an important step on the journey to meeting statutory requirements such as PCI or GDPR compliance.
The policy of necessity should look at all aspects of the day to day user access, processing and storage of information, identify the risks for each component and identify the controls that are necessary to mitigate that risk. In a previous blog we identified some of these key controls which include;
- Education and Awareness: train users to adopt a security conscious culture
- Securing Configurations: to protect systems from vulnerabilities
- Secure Network Connectivity: follow industry best practices and design approaches
- Managing User Privileges: ensure users do not have unnecessary privileges that can be exploited
- Effective Incident Management: reduce the impact of a cyber breach and aid speedy resolution
- Malware Prevention: ensure good anti-malware practices are implemented to prevent infection
- Systems Monitoring: detect how systems are used and if they have been attacked
- Remote working: ensure that an effective secure remote policy and controls are in place
All of the above controls (and some) will be necessary for GDPR compliance and an area that to date has often been ignored by SMBs is systems monitoring. This will certainly need to change with one requirement of GDPR for detailed breach notification.
The above policies and their associated controls could go a long way creating a more secure business environment that is able to mitigate risk before, during and after a cyber attack. So the simple message is that policy must underpin and be the foundation for any kind technology or people solution to security organisations from cyber breaches.
In the next edition of our blog, we will begin to explore what some of the technological solutions should look like and the benefits they could bring if correctly deployed.