Cyber security is often considered a top priority for senior management however few organisations have taken action to guard against this evolving threat. This is demonstrated by the Australian Cyber Security Centre’s Small Business Survey which identified that 80% of business say cyber security is a top priority for their senior managers, yet 48% admitting spending less that $500 to secure their organisation. The survey also revealed the scale of the threat as 62% of organisations have experienced a cyber security incident. So if this is a top priority, why have so few embarked upon the journey to protect their organisation from attack?
The trouble may be that with headlines describing state sponsored hackers, teenagers in their bedroom bringing large corporations to their knees and even the devices in your house being compromised to launch attacks on a global scale, it’s hard to know what steps to take first. For many senior managers and board members the cyber security threat landscape and how to navigate it may be akin to the maps of ancient times marked with “here be dragons” and maybe that’s why few have ventured on this path!
However, every organisation can take simple steps to greatly improve their security defences by identifying their key data assets, implementing a number of basic security controls and over time evolving their approach to provide a holistic defence against a range of security threats. But first, let’s look at what data security is really all about.
Where’s your passport?
When it’s comes to your organisation’s key data assets sometimes we don’t treat these with the level of security they require. Consider the most important data asset in your organisation; it may be a commercially sensitive business plan, a brief for a new product or perhaps highly confidential personal information relating to your customers. Whatever it is, consider how many people have access to that data, the locations where it may reside and what would happen if it was compromised. For many businesses the impact of a data breach of an asset this sensitive would result in severe brand reputation damage, potential loss of business and maybe even financial penalties, yet often little has been done to safeguard these vital data assets.
On the other hand, if you were asked where your own passport is, it’s likely you’d have a good idea. To many of us it’s a crucial document allowing us to pass through international borders for business trips or that well-earned break. It’s a crucial asset and we protect it as such, checking its location every five minutes as we await check-in at the airport, locking it in a safe in our hotel room and always taking precaution to ensure it’s up to date, valid and available when we need it.
Essentially we protect our passport’s confidentiality (guarding it from those who shouldn’t have it), its integrity (ensuring its details are accurate and up to date) and its availability (by ensuring it’s available when we need it). These three aspects are often termed the 'CIA' of security and that’s where all good security strategies start. The key is to take this same approach with our organisational data.
Start with what you’ve got
The first step in protecting your organisational data is to understand what you have. It may seem obvious, however as organisations grow, the location of different types of data and who has access is often not well known. Consider highly confidential spreadsheets which get emailed round an increasing number of staff, received on personal devices and stored in a variety of repositories. The risk to these data assets is often far beyond what many organisations would accept if they knew the risks.
Therefore, the starting point for any security strategy is understanding what data we have, its location and its value. Value can be defined in a number of ways in terms of sensitivity, legal and compliance requirements, cost to replace or better still, in terms of how valuable we consider the confidentiality, integrity and availability of that data to be.
Once we have a good handle on the data assets we hold, we can then perform a risk assessment of these assets. Consider the risks to confidentiality, integrity and availability which these may face. Risks could include external threats like unauthorised access to key IT services, such as email or the risk of data corruption e.g. a ransomware virus. However, it will also include a large number of non-technical risks e.g. data accidentally being forwarded due to human error or a lack of user training resulting in data being available in the public domain.
Once we understand the risks and have identified those which we are happy to accept and those which we’re not, we’re now able to select the most appropriate steps (or controls) to reduce these risks and further protect our critical data assets.
Select your security controls
There are a range of frameworks and best practice standards which can help determine the most appropriate security controls. Here are our three recommended approaches which we recommend to enhance your approach to cyber security:
1)ACSC Small Business Guide
The Australian National Cyber Security Centre (ACSC) have developed a range of resources to help organisations protect themselves. This often starts with getting the basics right rather than having to spend lots of money on consultancy or expensive toolsets.
A great starting point is the ACSC Small Business Guide. This short publication outlines 3 cores areas:
- Understanding the cyber threat
- Software Considerations
- People and Process Consideration
Armed with this information business case start to put the building blocks of security in place to protect them against the most common cyber threats.
2) The Essential Eight
A good next step is found in the ACSC’s Essential Eight framework which outlines eight key steps organisations should take to safeguard data from the most common cyber attacks. These include technical controls designed to ensure your critical information is always protected including maintaining regular backups, updating operating systems with security patches and enabling multi-factor authentication (MFA) when accessing critical systems remotely.
The essential eight maturity model also helps organisations to benchmark the effectiveness of their controls and design a risk based plan to enhance their technical security controls.
3) ISO 27001
ISO 27001 is often seen as the ‘gold standard’ in approaches to protect organisational assets. This standard sets out the requirements for an 'Information Security Management System (ISMS)' which is designed to ensure a robust and consistent approach is applied to safeguard organisational data. In addition to a risk methodology, the formation of security policies and training programmes, the standard also outlines 114 controls which organisations must evaluate to determine if they are appropriate for each organisation. These controls range from encryption technologies, access control systems and backup processes to supplier chain vetting procedures, legal compliance measures and business continuity plans.
The standard is based on the 'Plan, Do, Check, Act' cycle which drives the process of continual improvement. Therefore, once the identified security controls have been implemented, the organisation must undertake internal audits and conduct management reviews to ensure the effectiveness of security controls are measured and identified improvements are tracked to completion in order to continually improve the ISMS.
Focus on continual improvement
Whatever approach you choose to adopt the key is that a culture of security awareness and continual improvement is established within your organisation. It’s crucial that security is not just seen as a job for the IT department but rather that stakeholders from across the business are engaged to develop a holistic, pragmatic and effective approach to guard against the evolving threats we face in our digital world.
We regularly conduct free cyber threat briefings for our clients. If you would like us to arrange an overview of the evolving threat landscape and explain how you can keep your business cyber secure please get in touch!