What can you do to manage your Cyber Security?
26 July 2023.
What can you do to manage your Cyber Security?
Cyber Security is a subset of the wider topic of information technology. It applies to the protection of data stored online or when using online services.
Cyber Security is clearly a topic that has every ones attention at the moment. And rightly so. We are all increasingly reliant on information technology. While it brings enormous benefits, it also brings risks - and those risks can be catastrophic. But they don't have to be. There are steps that even a small business can take to reduce its risk profile while still partaking of the benefits of online connection.
In some of our blog articles we have gone into some detail about different elements of information security and the ISO 27001 standard. In this article, we'll outline some of the basic elements that your business can put in place to manage your cyber security.
You won't be surprised to learn that there is no silver bullet, no single thing you can do to 100% protect your business. The best that anyone can do is apply layers of controls - each of which reduces risk and enables a more secure working environment. We might call them Defence in depth.
Our list of basic steps are as follows:
Leadership and commitment by top management
This is not actually a control that you can put in place. It's more a prerequisite step A management system may be formal or informal, but it will always only be successful with the leadership and commitment of top management. That is necessary to get the required resources applied (time, money, software and so on).
Top management will only commit if they see the initiatives are worthwhile. Here's something that may help: Recent studies indicate that 43% of cyber attacks are against SMEs and up to 75% of those SMEs may not be able to trade after the attack. A sobering thought for the owner or senior manager of any SME.
Identify assets and the risks they face
Its important to determine what are your important assets. Control A5.9 in the ISO 27001 standard requires an 'Inventory of information and other associated assets' to be kept. That is more commonly known as an Asset Register. It would include your important logical or information assets and the hardware that contains them.
Develop policies and procedures
Document and communicate a set of business rules to ensure that people know what is expected of them.
Having identified assets and risks, we need to implement controls to protect those assets and mitigate those risks. The controls could be far reaching. ISO 27001 alone lists 93 that should be considered. While that can be quite daunting but there's a lot that can be achieved with just some initial controls. it's important to take the first steps and 'pick the low hanging fruit'.
We shouldn't expect that people instinctively know how to spot a scam and how to play their part in reducing risks. Provide security awareness training which should include phishing simulation.
Monitor and measure
Monitoring and measurement can include both automated (such as event logging) and human components. Carry out checks to ensure that procedures are being followed. In a formal management system that would include a programme of internal audits.
Respond to incidents
When an incident does occur, we need to have clear and efficient mechanisms in place to report them and ensure that action is taken to address the immediate issue and resolve any root causes.
Finally, we should have recovery plans in place so that we can bounce back quickly should a significantly adverse event occur. That is normally done as part of Business Continuity / Disaster Recovery planning. Develop a series of 'What if' scenarios and make plans to deal with them. Of course, the plans should also be periodically tested to make sure they work in practice.
Contact us if you would like help to plan your cyber security.
Click the LinkedIn Follow button below to receive notification of further articles.
There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.
'ISO 27001 Information Security in plain English'
This web site includes a series of blog articles where we work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
It began with an introductory webinar. A copy of the slide deck is available for you here:
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!