Protecting your organisation against cyber attacks can sometimes feel like a never-ending game of security whack-a-mole. As soon as you’ve secured one weakness, another one appears.
This can demoralise any organisation and make them believe that good information security practices are impossible.
However, there is a solution – but it requires a different way of thinking.
Organisations must stop looking at each individual threat as it arises and instead build defences that are equipped to handle whatever cyber criminals throw at you.
Doing that is simpler than it sounds. That’s because, as much as cyber criminals’ tactics evolve, they tend to follow the same basic methodology.
If your security measures account for the ways in which you are targeted, rather than specific forms of attack, you will defend yourself effectively from a range of attacks.
In this post, we outline five things you can do to improve the way you approach information security.
1. Support cyber security staff
The first thing you must do is ensure that your cyber security staff have the support they need.
Security teams often feel that they’re not given a sufficient budget or that senior staff don’t listen to their requests.
These problems stem from the fact that senior leadership generally lack technical know-how of cyber security, which would otherwise help them understand why the team is making their requests.
As a result, board members tend to view cyber security as an operational cost and overlook the benefits of investing in it.
That is to say, an organisation with an effective security program will not only have fewer data breaches but will also run more smoothly, with employees following best practices and avoiding mistakes.
Indeed, it’s worth emphasising that although cyber security is generally considered the IT team, its influence reaches the entire organisation.
Your security measures affect every department and every location – whether that’s the organisation’s offices, its servers or its remote employees.
You therefore won’t be able to make any significant progress until your board acknowledges the value of cyber security and provides an appropriate budget.
2. Conduct annual staff awareness training
If employees receive phishing emails and are unable to spot that they are scams, the whole organisation is at risk.
Similarly, internal error, privilege misuse and data loss are all the result of employees not understanding their information security obligations.
These are issues that you can’t fix with technological solutions alone. Organisations must instead support their IT department by conducting regular staff awareness training.
A study from Privatise Business VPN suggests that staff aren’t getting the training they need, with 53% of IT managers saying that employees need a greater understanding of cyber threats.
Cyber security training not only prevents data breaches but also comes with a range of other benefits.
We have discussed some of those reasons before, but in general, it boils down to making your business more efficient – in your day-to-day operations and your relationship with data protection regulators.
Training courses should be given to employees during their induction and then repeated annually.
3. Prioritise risk assessments
A risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme.
It’s the only way to make sure that the controls you choose are appropriate to the risks your organisation faces.
It does this by creating a system that helps you answer the following questions:
- Under what scenarios is your organisation under threat?
- How damaging would each of these scenarios be?
- How likely is it that these scenarios will occur?
Without a risk assessment, your organisation is liable to ignore threats that could otherwise have devastating effects.
Likewise, you might waste time and effort addressing events that are unlikely to occur or won’t cause significant damage.
There is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation.
The best way to conduct a risk assessment is by following the guidelines outlined in the international standard for information security management, ISO 27001.
Its best-practice approach is built around the risk assessment process, helping organisations understand threats and solutions associated with people, processes and technology.
4. Regularly review policies and procedures
Policies and procedures are the documents that establish an organisation’s rules for handling data.
Policies provide a broad outline of the organisation’s principles, whereas procedures detail how, what and when things should be done.
This is another area in which ISO 27001 can help. The Standard contains a comprehensive list of controls that organisations may choose to adopt if they decide that they must address an identified threat.
We have previously discussed some policies that organisations should implement, which include those related to remote access, password creation and management, and rules on acceptable use.
By writing policies and procedures, organisations can ensure that employees understand their security obligations and cement the lessons taught during staff awareness training.
The more technical-minded policies also provide essential assistance for the security solutions offered by IT.
For example, you can security test a piece of third-party software, but if employees make basic errors – such as misconfiguring a database – it will undermine their efforts.
5. Assess and improve
The steps outlined here are only the starting point. Cyber security is an ever-evolving field, and your organisation must regularly review its practices to make sure they are up to scratch.
By following our guidance, you’ve created a framework that enables you to make changes efficiently and without having to substantially alter the way you operate.
For example, tackling a new threat might be as simple as creating a new policy or adjusting an existing one.
Likewise, it might be the case that your IT team needs to implement a new technology to tackle an emerging threat.
You already have a communication pipeline between IT and the board to discuss this, and the team should have an agreed budget to apply whatever changes are necessary.
How to achieve information security success
We’ve mentioned ISO 27001 a couple of times in this post, and for good reason.
The Standard contains comprehensive guidance on risk management, and is designed to help organisations manage their security practices in a simple, centralised system.
You can find out more about the Standard, and how you can adopt its requirements, by downloading our free green paper: Implementing an ISMS – The nine-step approach.
Our experts provide essential tips to help you get started with ISO 27001, explaining our tried-and-tested approach to get your organisation certification-ready.
A version of this blog was originally published on 19 March 2018.