With new threats appearing daily, cyber security is becoming increasingly important and complex, yet many business owners don’t have the bandwidth to take the trend seriously. Most news stories have focused on security breaches in large organisations. However, all businesses are vulnerable to security threats, especially if they lack the resources and expertise to implement operational and risk management policies. Cyber criminals are preying on this lack of expertise and target medium sized enterprises as they are easy victims and can be used as a backdoor to larger companies.
It’s time to get organised and implement an information security management system (ISMS). This is a set of policies and procedures for managing sensitive data and ensuring your cyber security defences are up to the job.
The Cyber security breaches survey 2017[i],conducted by Ipsos Mori on behalf of the UK Government, revealed that 52% of small businesses identified a cyber breach or attack in the past 12 months. The most common types of breaches were:
- Those related to staff receiving fraudulent emails, (72%)
- Viruses, spyware and malware (33%)
- People impersonating the organisation in emails or online (27%)
- Ransomware (17%).
For companies with limited budgets, cyber security can be a tricky task, however, getting “your ducks in a row” with an ISMS is a good place to start.
5 Steps to Cyber Security
- Leadership is vital – cyber security starts at the top of the organisation, if management leads by example taking an active approach to the mitigation of cyber risk, others will follow. Understandably, leaders are often focused on building their business and not on complex policies and procedures. However, adopting a systematic approach promoted by a virtual online security officer (VOSO) as part of an information security management system, takes away much of the time-consuming administration burden.
- Education and awareness training – as revealed in the Cyber security breaches survey 2017, phishing emails and malware are the two biggest threats to organisations. Both of these exploit human behaviour so it’s vital that staff are trained to recognise the threat and respond appropriately. Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities (people) into an area of strength.
- Identify your risks – a risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme. Identifying the risks that can affect the confidentiality, integrity and availability of information is a time-consuming process. However, with regular reviews to identify threats and vulnerabilities organisations can take steps to mitigate these by prioritising which risks need to be addressed in which order.
- Regular reviews – policies and procedures are the documents that establish an organisation’s rules for handling data. Policies provide a broad outline of the organisations principles, whereas procedures detail the how, what and when things should be done. Together they provide a framework of do’s and don’ts for the organisation’s workforce on how data should be managed and train employees to offset social engineering campaigns that are one of the main causes of a data breach.
A good IMIS will hold policies and procedure to ensure regular reviews are conducted with all employees to keep them up to date and policies remain effective. If a procedure isn’t working, it needs rewriting.
- The wonders of a dashboard –. A dashboard simplifies the process of monitoring progress and improvements by providing a central location for plans, policies, best practice advice and training information. Good dashboard software should guide companies through complex safety procedures, display compliance against selected standards, including GDPR, as well as online security training videos. A traffic light system lets business leaders know just how well prepared their organisation is to prevent a data breach or cyber attack.
It’s time to act
By underestimating the true impact a cyber attack can have on their reputation and the disruption caused while management remediate the situation, businesses are putting themselves at significant commercial risk. Now more than ever it is essential to take action and reduce the risk of cyber threats. Without adequate protection business leaders are risking their future business growth and development.
Managing risk from inside the organisation is vital and relies upon the application of a consistent set of policies and processes, backed up by continual employee training. Using an information security management system that incorporates leading cyber security standards will help keep companies safe. Business leaders can benefit from the expertise of online cyber security consultants at a fraction of the cost of traditional consultancy. It’s time to get those “ducks in a row” to create robust, best-practice policies with the help of a virtual online security officer.
[i] Cyber security breaches survey 2017 https://www.cyberaware.gov.uk/sites/cyberstreetwise/files/cyberstreetwisesmallbusinessreputationreport-2016-02-08.pdf
CySure is a cyber security company with offices in London and California. It was founded by cyber security experts with extensive experience in operational and risk management. CySure’s flagship solution – Virtual Online Security Officer (VOSO) is an information security management system that incorporates US NIST and UK CE cyber security standards to guide organisations through complex, emerging safety procedures and protocols, improve their online security and reduce the risk of cyber threats.
CySure also supplies organisations with cyber insurance to supplement their security strategy and offset crippling forensic and remediation costs in the event of a cyber breach.