Nine times out of 10, a loose carpet tile would be reported as a potential workplace health and safety issue. Cyber security should be looked at with similar scrutiny, writes Shane Bell.
A lot has happened in those 20 years to drive a cultural shift in the way potential workplace health and safety risks are perceived and dealt with in a business. I’m expecting a similar shift in the way businesses approach cyber risk but for now, businesses are really grappling with what to do about cyber security in the short term.
Having worked as a cyber security and information risk specialist for the past 12 years, my advice is to accept the risk and have a plan. If you don’t have a plan, you aren’t in the game.
The level of consciousness around workplace safety didn’t happen overnight, and it won’t work that way for cyber and information risk either.
To be in the game, a business needs a strategy to build and maintain resilience against potential attacks, quickly detect problems, and respond and recover as quickly as possible.
Given that any business, no matter the size or stature, faces cyber and information risk, there are some practical steps you can take to build up resilience and raise awareness:
1. Get a baseline by assessing your risk
I recommend undertaking a cyber resilience assessment, essentially a current state risk assessment. This is an opportunity to get an external, independent point of view about the challenges that need to be addressed and the opportunities to build a holistic plan. An independent view can be very helpful here.
In any event, what you don’t want is a glossy report gathering dust on a shelf with recommendations you aren’t able to implement. You also need to be wary of salesmen who conduct an assessment with the aim of selling further products or services, which is an increasingly common tactic of many in this field.
2. Implement a tailored and well-thought-out internal awareness campaign
Most companies think of awareness as e-learning modules and lectures, but this approach doesn’t engage employees and is more compliance driven. Instead, I suggest carving out cyber security awareness as an internal program that is tailored and regular, to incorporate cyber awareness and resilience into the overall culture of a business.
We need to be talking about cyber at board level, among the executive team, as well as across all other facets of a business. At the end of the day, the greatest risk may not be posed by external hackers or technology, but by our own people or trusted third parties, either intentionally or unintentionally. Driving awareness and “patching the human element” are critical to a successful plan.
3. No one-size-fits-all
Cyber criminals don’t discriminate against business size or bank balance. If you’re housing intellectual property, or personal information of customers and employees, you are at risk. This means the budget allocated to improve cyber security can vary substantially, as can the prioritised needs of a business.
It can be tempting for smaller businesses to take out an insurance policy and leave it at that. While having cyber insurance is a good start, it isn’t enough, and should instead be considered as part of an overall cyber security strategy that addresses the overall cost of remediating a breach as well as the financial, brand or other impacts that are longer-lasting.
Resourcing is also a critical part of any strategy. Internal additional resources may need to be set aside and a balance of insourcing and outsourcing struck. This isn’t just an IT issue and that means for some businesses, an outsourced model is going to give the best value.
4. Test and train
You can’t have a plan without testing its effectiveness. You should be challenging yourself and testing your IT environment and your people the way “hackers” would. Most importantly, you should take the opportunity to make improvements and learn from the results when the test is complete.
This testing process could include penetration tests, phishing tests and social engineering scenario tests, which are linked to broader crisis management plans and enterprise testing.
Cyber is just as much a people-focused issue as it is a technical issue. It should be handled by the leadership of a business and not simply saddled on IT staff; it is a problem that is solved with collaboration.
Eventually, recognising cyber risk in an office will become as simple as recognising the trip hazard presented by a loose carpet tile. To make that cultural shift, we need to make more of an effort in understanding “vulnerabilities” and improve staff awareness and training.
Once we aren’t even talking about “cyber” in isolation anymore and we move towards resilience, we will be in a better place.
Shane Bell is the director of forensic & cyber at McGrathNicol.