It’s a safe assumption that, by reading this article, you already understand that your organisation faces multiple threats from cyber criminals and, in many cases, your own staff. With that assumption made, I’ll avoid discussing these threats and I’ll get straight to the point: where you begin with cyber security.
Begin with the basics
An organisation that implements a basic level of cyber security will see itself avoiding 80% of cyber attacks. It’s hard to find a good excuse to avoid performing the basics when that statistic is thrown around – but what are the basics?
The UK Cyber Essentials scheme lists the below as basic cyber security:
- Secure configuration
Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.
- Boundary firewalls and Internet gateways
Providing a basic level of protection where an organisation connects to the Internet.
- Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts.
- Patch management
Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks.
- Malware protection
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.
These five areas are very basic and it’s incredibly likely that you’re carrying out at least three at home – you just haven’t documented it.
The Cyber Essentials scheme is built around these five areas, and organisations can be certified to the scheme. To learn more about the scheme, I urge you to spend £3.49 and purchase the Cyber Essentials Pocket Guide.
The scheme is perfect for micro and small organisations.
Step it up a level
While the Cyber Essentials scheme does a great job of keeping an organisation safe, there are a lot more things an organisation can do to protect itself.
This is where ISO 27001 comes in, but it can be intimidating for those who haven’t run into management system standards before. On the plus side, training courses and learning materials are available for ISO 27001, which will help an organisation successfully implement ISO 27001 (or you can have someone do it all for you).
ISO 27001 describes international best practice for information security, and encompasses the entire organisation using a triple-pronged approach that takes people, processes and technology into account.
There is no denying that taking on an ISO 27001 implementation is a big project, but the benefits it brings to the table will make you quickly forget about any difficulties.
So how does ISO 27001 work?
An information security management system (ISMS) as described in ISO 27001 is a systematic approach to establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives.
People, processes and technology are all involved in ISO 27001, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers.
An ISMS helps you coordinate all of your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
You’ve given me two starting points, which do I choose?
Both Cyber Essentials and ISO 27001 work for organisations of any size, whether it’s just you working from what was previously the spare room or 500 employees across ten different offices. While ISO 27001 is clearly the more thorough approach, it does require more dedication and, of course, investment.