With the proliferation of cyber attacks and data breaches, managing information security effectively is more important than ever. An integrated approach to people, processes and technology is critical to mitigate cyber risks, while an incident response plan should be developed in case the worst happens.
With that in mind, there are three key undertakings to improve the cyber security of your organisation.
Understand what your current risk exposure is
Many organisations don’t know what they are currently doing to mitigate information security risks. Worse still, they are in the dark about what the risks are and how they could affect the organisation.
This lack of understanding is reflected in the UK 2015 Cyber Risk Survey Report from insurance broker Marsh. It reveals that only 18% of UK firms admit to having a “complete understanding” of cyber risk, a significant fall from 34% one year ago. Meanwhile, the percentage of firms that have experienced a cyber attack in the past 12 months has risen to 40.3% (from 31% in 2014).
Identifying the organisation’s key assets and the relevant risks to these assets, together with the planned mitigation activities, is essential for pinpointing potential cyber security holes. In particular, the effectiveness of the risk mitigation activities needs to be assessed, and from there the focus should be on what needs to be improved.
A Cyber Health Check is often a sensible way for an organisation to approach the improvement of its cyber security posture. Offered as a service by IT Governance, it helps organisations assess their risk exposure and provides them with a prioritised list of costed recommendations for aligning the desired security status with reality.
Implement an information security management system
Implementing an information security management system (ISMS) is by far the most robust way to ensure an integrated approach to people, processes and technology when managing information security risk. An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber attacks, hacks, data leaks or theft.
ISO 27001, the international information security standard, provides guidance on the development, implementation and continual improvement of an ISMS.
According to research by the British Standards Institution (BSI), 52% of organisations that had implemented ISO 27001 were “extremely confident” about their level of resilience to the latest methods of cyber hacking.
Implementing an ISMS involves the whole organisation and helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
The ISO 27001 Certified ISMS Foundation Online course offers a great introduction to developing a best-practice ISMS using the ISO 27001 standard. The next course takes place on 4-5 August 2015, and there is a 30% discount for bookings made by the end of July.
Build a security culture
Report after report cites the insider threat as one of the major causes of data breaches. Unaware and uninformed employees may unwittingly open the door to those with malicious intent, but organisations often neglect (or badly misunderstand) the role of raising staff awareness when it comes to cyber security.
PwC’s 2015 Global State of Information Security Report revealed that only 51% of businesses had an information security awareness programme (down from 60% in 2013).
In his newest book, Build a Security Culture, Kai Roer highlights creating a culture that promotes cyber security within the workplace to help prevent many cyber attacks. The book addresses the human and cultural factors that are important in achieving organisational security, and provides advice grounded in the psychology of groups to help you develop your organisation’s culture.
In recent years, staff awareness e-learning has become an important component in the development of information security awareness programmes. It is easy to deploy and provides a cost-effective solution to raising security awareness.
Try the Cyber Security and Phishing Staff Awareness Course, which will help your employees to understand how cyber criminals operate, how they plan and execute their phishing campaigns, and how to spot and avoid phishing tactics.