This blog has been updated to reflect industry developments. Originally published Mar 19, 2018.
Protecting your organisation against cyber crime can sometimes feel like a never ending game of security whack-a-mole.
Just as soon as you’ve secured one weakness, it seems as though another vulnerability rears its head.
But if you take a step back, you’ll notice that as much as the cyber criminals’ tactics evolve, they tend to follow the same basic methodology.
By implementing defences that tackle the trends rather than the specific weaknesses, you can mitigate the risk of any kind of attack.
In this post, we outline five essential ways of keeping your organisation secure.
1) Support cyber security staff
Cyber security staff often cite a lack of organisational support as their biggest concern.
They often feel that they’re not given a sufficient budget or that senior staff don’t listen to their requests.
These problems are inextricably linked.
Senior leadership generally lack technical know-how, and tend to view cyber security as a cost rather than a benefit.
However, cyber security affects every part of an organisation, from its staff to its physical premises.
It is therefore essential that organisations’ board rooms acknowledge the value of cyber security, and give staff appropriate budgets.
2) Conduct annual staff awareness training
If employees who receive phishing emails (which often contain ransomware) are unable to spot them, the whole organisation is at risk.
Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their information security obligations.
Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities into an area of strength.
Training courses should be given to employees during their induction and then repeated annually.
3) Prioritise risk assessments
A risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme.
It’s the only way to make sure that the controls you choose are appropriate to the risks your organisation faces.
Without a risk assessment, you could ignore threats or waste time and effort addressing events that are unlikely to occur or won’t cause significant damage.
There is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation.
4) Regularly review policies and procedures
Policies and procedures are the documents that establish an organisation’s rules for handling data.
Policies provide a broad outline of the organisations principles, whereas procedures detail how, what and when things should be done.
The evolving cyber threat landscape makes it imperative that organisations regularly review their policies and procedures.
If a procedure isn’t working, it needs to be rewritten.
5) Assess and improve
Each of the steps listed here references the need to conduct regular reviews, but the assessment and improvement process is so important that it merits particular attention.
Every part of an organisation’s cyber security framework benefits from reviews of its effectiveness, but the process will inevitably take time and effort, meaning the frequency of reviews will depend on the resources you have.
How ISO 27001 can help
We recommend implementing to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
The Standard’s framework covers everything listed here, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.
We know that implementing an ISO 27001-compliant ISMS can be an intimidating task, especially if you have no prior knowledge of the Standard and don’t know where to start.
That’s why we’ve compiled implementation tips from the ISO 27001 experts in this free green paper, Implementing an ISMS – The nine-step approach.
Download your copy today to:
- Get to grips with the basics of an ISO 27001 ISMS;
- Discover our tried-and-tested nine-step implementation approach that will save you time and money;
- Establish important considerations for every step of your ISMS project; and
- Identify the challenges you may face when creating your ISMS.