Organisations are always looking for ways to improve their security posture, but the process is often frustrating. As soon as they secure one weakness, cyber criminals find another one. But if you take a step back, you’ll notice that, as much as cyber criminals’ tactics evolve, they always follow the same essential method and exploit the same vulnerabilities. By implementing defences that tackle the trends rather than the specific weaknesses, you can mitigate the risk of any kind of attack. Here are five essential ways you can keep your organisation secure.
Leaders should support cyber security staff
Cyber security staff often cite a lack of organisational support as their biggest concern. By that, they usually mean that they’re not given a sufficient budget or that senior staff don’t listen to their requests.
These problems are clearly linked. Senior staff are generally not cyber security experts, and they often assume the field is little more than IT problems. However, cyber security affects every part of an organisation, from its staff to its physical premises, and it’s essential that organisations’ board rooms acknowledge that and give staff appropriate budgets.
Staff awareness courses should be conducted annually
Two of the biggest threats organisations face are phishing and ransomware, both of which exploit human error. If employees who receive phishing emails (which often contain ransomware) are unable to spot them, the whole organisation is at risk.
Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their information security obligations.
Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities into an area of strength. Training courses should be given to employees during their induction and then repeated annually.
Risk assessments should be prioritised
A risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme. It’s the only way to make sure that the controls you choose are appropriate to the risks your organisation faces.
Without a risk assessment, you could ignore threats or waste time, effort and resources addressing events that are unlikely to occur or won’t cause significant damage.
Policies and procedures should be reviewed regularly
Policies and procedures are the documents that establish an organisation’s rules for handling data. Policies provide a broad outline of the organisations principles, whereas procedures detail how, what and when things should be done.
The evolving cyber threat landscape makes it imperative that organisations regularly review their policies and procedures. If a procedure isn’t working, it needs to be rewritten.
Every measure should be subject to continual improvement
Each of the steps listed here references the need to conduct regular reviews, but the assessment and improvement process is so important that it merits particular attention. Every part of an organisation’s cyber security framework benefits from reviews of its effectiveness, but the process will inevitably take time and effort, meaning the frequency of reviews will depend on the resources you have.
How ISO 27001 can help
To make sure your organisation follows each of these steps, we recommend certifying to ISO 27001, the international standard that describes best practice for an information security management system (ISMS). The Standard’s framework covers everything listed here, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.
If you are interested in certifying to ISO 27001, take a look at our gap analysis service. The service is ideal for those who want help getting started with ISO 27001 and provides detailed advice on the areas that need most focus.
One of our experts will conduct an in-person review of your information security posture and assess whether you are ready to begin an ISO 27001 implementation project. They will provide you with:
- A proposed scope of your information security management system;
- An overview of your internal resource requirements; and
- A potential timeline to achieve certification readiness.