The key elements of a cyber security plan

Once you understand the threats facing your organisation, it’s time to put in place a plan to defend against them. You don’t need to be an IT or cyber security expert to do this – an effective framework will help you make decisions based on common sense.

This guide will help you get started.

  1. Top management commitment

Cyber security is something that affects the whole business, so you’ll need the approval of senior management to implement an organisation-wide plan. Once you’ve persuaded them to commit to a cyber security plan, they will assemble a team to lead the project and provide the necessary budget and resources to do the job.

  1. Risk assessment

To prepare for cyber attacks, you first need to conduct a risk assessment to determine which threats to prioritise. You can do this by creating a list of threats and scoring each one based on the likelihood of it occurring and the damage it will cause. Anything that scores above a certain threshold (usually determined by the resources you have) should be prioritised.

This is, of course, a very broad outline of how risk assessments work. We recommend looking at the framework laid out in ISO 27001, the international standard for information security, for more detailed advice.

  1. Defence measures

With your biggest threats identified, you can start putting defences in place. Some threats will need to be treated with sophisticated tools that require expert advice, but most can be addressed with relative ease. Here are a few things to begin with:

  • Password policies ensure that employees know how to create a strong password and keep it private. This greatly reduces the risk of crooks or malicious insiders compromising accounts, which is one of the most common and easily avoidable causes of data breaches.
  • Two-factor authentication can further reduce the risk of accounts being compromised. It requires users to provide a combination of something they know (a password or code), something they have (e.g. a one-time code sent to a registered email address or mobile device) and something they are (biometric data). This might sound complicated, but you probably use two-factor authentication all the time. Consider ATM transactions: to withdraw money, you need a bank card (something you have) as well as the PIN (something you know).
  • Access controls ensure that employees can only view information that’s relevant to their job role. This reduces the risk of insider data breaches, whether malicious or unintentional. It also limits the damage a crook can cause if they compromise an employee’s account.
  1. Cyber resilience

Once the appropriate defences are in place, organisations can be confident in their ability to defend against whatever attacks come their way. But they must accept that some things are entirely out of their control. There is always the possibility of a technological failure, a user error, an undetected vulnerability or simply a crook who outsmarted best practices. In short, organisations must be prepared for a successful attack.

The best way to do this is by adopting cyber resilience. This approach combines cyber security and business continuity, enabling organisations to both defend against attacks and implement measures to limit the damage of a breach.

You can learn more about cyber resilience by speaking to one of our experts. All you need to do is simply fill in the form below and someone will be in touch shortly.