This article is aimed at organisations that currently have a rudimentary cyber security capability, and that wish to make effective improvements without breaking the bank.
In a recent article ‘Basic Cyber Security Hygiene: 5 Inalienable Truths’ we highlighted the importance of strong baseline cyber security disciplines to any organisation, irrespective of size or maturity. In essence, we contended that:
What all this means is that taking a purely technical approach to securing your information via anti-malware, firewalls and DLP technologies (for example), will not take you nearly as far along your cyber security journey as you might think. That’s the bad news. Effective cyber security relies just as much on effective governance, a sound understanding of risk (and of the business), and the ability to influence as it does on purchasing the right bits of software. The good news is that there is plenty of well-respected guidance out there to help you get to where you need to be.
So, if your organisation is small-ish to mid-size – and your levels of cyber security (or lack thereof) are starting to cause you concern – here’s CRMG’s no-nonsense approach for what you can do about it. It’s fairly straightforward, but you really do need to do it all!
OK, so we said earlier that anti-virus and firewalls aren’t the be-all and end-all, but you DO need to have them. Before you embark on your cyber security improvement programme, at least make sure that all your computer systems are kept updated to the latest operating system version and have up-to-date anti-malware software and firewalls running. Ensure you’re taking backups and test that those backups can be restored if needed. If systems store particularly sensitive information, make sure the hard disks on those systems are encrypted (most Windows and Mac computers will have the ability to do this out of the box these days, without the need to buy additional software).
There are a number of well-known frameworks or standards that can (in effect) act as a guide to help make sure your beefed-up approach to cyber security will be fit for purpose and cover everything that it should. For small organisations, Cyber Essentials (a UK Government initiative) isn’t a bad place to start, but it’s quite rudimentary and larger organisations are likely to outgrow it fast. This is why we recommend taking a look at a broader ranging standard that will mature with you. The following three are all widely recognised:
Irrespective of the standard you choose, it will cover core areas that are critical to any cyber security programme worth its salt. Here are the areas addressed by ISO/IEC 27001:
|· Information security policies||· Cryptography||
· Supplier relationships
|· Organisation of information security||· Physical and environmental security||
· Information security incident management
|· Human resource security||· Operations security||
· Business continuity management
· Asset management
|· Communications security||
|· Access control||· System acquisition, development and maintenance.|
The overall point is that your cyber security programme will need to cover everything from setting the right tone from the top, through staff awareness, technical security measures, the ability to continue operating if something does happen, and how you handle information security in supplier and third-party relationships you might have.
You won’t necessarily need to implement highly complex or mature arrangements for each of the areas outlined above. The point is that you should at least have considered their relative importance and applied the gist of each area of good practice in a way that fits your own risk profile and requirements. As your business develops, you’ll be able to re-visit each area and make tweaks and improvements that keep you on track.
Before you start working on implementing your improvement programme in earnest, it’s a really good idea to assess what you already have in place, and the extent to which it’s working. You might be surprised at how many of the basics are already there.
To do this, we recommend conducting some sort of gap assessment against the standard or framework you’ve chosen. At CRMG we use our ‘Cyber Security Diagnostic Assessment’ – which is aligned either with ISO/IEC 27001 or the NIST Cyber Security Framework (you can choose which you’d prefer). If you choose to ask an expert third party to assist you, they’ll walk you through a defined process to get as much value from the assessment as possible. Here’s how CRMG’s assessment works.
i. To start with, we’ll hold a brief preparatory call to familiarise you with the areas the assessment will cover and how the process will work, and we’ll also share a planning guide to help you pull together the right information for the assessment
ii. A CRMG Consultant will spend about a day with you talking through your current cyber security approach vs. ideally where you’ll need to get to. By doing this, the Consultant will be able to complete a structured diagnostic assessment which will form the basis of our report
iii. Once we have understood your business and completed the diagnostic assessment, we’ll produce a straightforward report that sets out areas of cyber security you’re already applying and those where improvement is required given the nature and maturity of your organisation. The guidance will be pragmatic and aimed at producing a pragmatic and achievable improvement roadmap (see next step). The structure of the assessment of the report provides a really useful format for monitoring improvement activity in the future
iv. We’ll review the outcomes of the assessment with you and identify prioritised, manageable steps for improvement – along with sensible timelines for implementation. If required, we’ll stay on hand for you throughout to help you along your improvement journey.
Once you’ve taken your temperature and produced an improvement roadmap, you’ll be ready to embark on your journey. The big secret to success here is to keep it real. We’ve seen too many instances where organisations have tried to boil the ocean by implementing a complete cyber security programme in record time. You don’t need to implement highly mature procedures everywhere. Prioritise! And where possible, break activities up into mini-projects that can be managed in their own right by experienced staff. The assessment stage will have helped you identify the things you’ll need to focus on first, but you’ll need to keep a regular tab on progress and make the odd tweak along the way in line with business priorities, resources, emerging threats and so on.
If you are in a place where you’re concerned that your organisation just isn’t doing enough to understand the cyber threats and put in place steps to make improvements, you’ll need a sensible, manageable action plan. What we’ve set out here isn’t rocket science, but it’ll start you on your journey and hopefully help you sleep a little more soundly at night. And if you’d like to take us up on the offer, we’re here to help you.
About the author
Co-Founder & Director, CRMG