Many organisations process and store large amounts of personal and sensitive information that attackers may target for onward sale or distribution. Hackers may seek to attack an organisation directly to extort or defraud, gaining access to the firm’s financial assets for financial gain.
If you are looking to create a cyber security programme for your organisation, these ten steps for implementing a cyber security strategy will show you what you need to consider, what needs to be implemented and the importance of risk vs. cost.
1. Risk management
Making risk-based decisions is crucial – most organisations do not large budgets to be able to spend on cyber security. So, part of risk management is about making informed decisions, striking the right balance between threats that you might face in your organisation, and how you can capture the low hanging fruit and mitigate them most effectively.
Risk management in cyber security
It helps security domains to ensure that the technology, systems, and information you’re protecting is being protected in the most pertinent way for you and is based around your risk appetite.
Some organisations will have a much hungrier risk appetite and be more willing to take risks. Others will be in compliance type environments and regulatory environments where they must meet certain regimes.
2. Engagement and training
Encourage senior leaders to lead by example; having the board buy in is crucial. They need to be a fundamental part of any engagement as individuals, and if you’re running cyber security programmes, it’s got to be little and often. Small bite-sized nuggets of training – you need constantly reinforcement, but not at the detriment of people’s day.
You’ve got to build effective dialogue within your staff and support network. You got to have champions and recognise that people learn in different ways and at different speeds. You’ve got to have content that caters towards that and help people learn in those different ways.
Having themed campaigns at different points in the year, such as Cyber Security Awareness month in October can also help.
3. Asset management
You can’t protect what you don’t know. So, integrating asset management into your organisation is key. Understanding your critical services, your functions, identifying all the associated data and technology dependencies you have, how you prioritise them.
You need to improve and validate that knowledge all the time, because new assets are being applied and removed and deleted. Only keep what you need, and if you are removing assets making sure it’s done in a secure way.
4. Architecture and configuration
This is more around designing your systems. If you are designing software and platforms, understanding what you are building and why you are building it. Making the system easy to maintain, and easy to update.
Having huge amounts of branch codes everywhere can be incredibly challenging, so make compromises. You’ve got to make compromises on good things; we’re all going to be balancing what user centric requirements are vs. what the security needs are.
The compromises shouldn’t be on the security side. That doesn’t mean that security trumps user centred design, it just means that it needs to be built in a secure design from the beginning. Make it easy to detect and investigate compromises when you are building your solutions and services. Having good alerting functionality is a key part of that.
5. Vulnerability management
Develop vulnerability management processes and disclosure policies. The government department for culture, media & sport created 14 steps that you should take in terms of security by design.
That’s also how you are going to manage your legacy equipment, whether you need to segment that off from your core network.
6. Identity and access management
This is a core staple of any good organisation being able to control their data and who can access that data. Appropriate identity and access management policies and processes will be required.
Consider multi-factor authentication against all your accounts and employing security monitoring and detection to alert to for a non-anomalous behaviour and malicious behaviour.
7. Data security
You’ve got to protect your data where it is vulnerable, but also protected according to the risk. You shouldn’t be spending more on the detection and protection of data than the data is worth.
Not all data is worth a huge amount – personal data is obviously very important. Privileged data is very important. Commercial data is important. Intellectual property is important. But there are other aspects where it isn’t quite supported. So, you should tailor how you protect it.
Where you do protect it, you need to back it up. You need to make sure that you have online backups, but you also have offline backups. Follow the NCSC best practice around looking after your backups.
When you’re getting rid of data and sanitising any storage media, make sure it’s certified. When you get rid of old equipment, that it’s been securely destroyed, and it’s been protected in a way that you are comfortable with logging and monitoring.
8. Logging and monitoring
You’ve got to understand what your objectives are around logging and monitoring. I see too many organisations that just get buried in logging data. They have great systems, but they are just in alert hell.
You’ve got to understand the logs that you need, the information that you want to protect, and you want to be alerted on. You’ve got to have the playbooks for how you work with that. You got to keep your logs generated to useful insights. It should be around the anomalous events that you care about, the things that are going to be challenging for you.
9. Incident management
As part of incident management, you need to develop your incident response plan. Instant preparedness is crucial – preparing your response plans, your capability and practising them.
It’s no good having a 200-page response plan, because when something bad happens, no-one is going to be able to read that in the time. You need small concise playbooks that are worked out for everybody on the board to everybody on the floor. Everyone needs to know what their part is to play in the event of an incident.
The best way to do that is through exercising and desktop exercising. You’ve got to have your communication plans actively ready, knowing what you’re going to say to shareholders, how you’re going to deal with the press, how you’re going to deal with regulatory authorities if you need to.
You got to incorporate lessons learned from all those different exercises and have support plans to support you. Often with big incidents, you may have an amazing internal team, but if the incidents going on for two weeks, that team isn’t going to be able to sustain it. They are going to get fatigued.
Having good support backup, good retainer plans in place, having specialists with forensic capability and, and deeper incident response capability to help you on hand at the touch of a button or at the click of a phone call is going to be very important if an incident starts to become protracted.
10. Supply chain security
Equally, it could be at number one. Understanding your supply chain, mapping it out, understanding where there might be potential weaknesses, embedding security within your contracting processes.
When you are procuring organisations, understanding what their cyber security posture is, what their resilience is, and helping support them to get them to the level that you need to be comfortable that they are an active and supportive member of your supply chain.
Cyber Security Training is a central pillar in keeping your organisation safe from hackers, cyber attacks and raise organisational awareness on information security. These are essential online courses that helps protect the organisation’s information and customer data, secure IT systems and prevent data breaches.
