A cyber security plan shouldn't be confined to your IT team - it's a company-wide undertaking.
Share this article
"We don’t need security...”… is not a statement you’d expect to hear at work, especially with our growing dependence on technology and having a modern, digital infrastructure. Everyone knows security is important and how it must be embedded into everything an organization does, to protect it from outside threats.
Your business’ security should be widespread and mainstream, but unfortunately, a quick glance at the latest news shows security culture has not kept pace with the threat landscape.
Keeping up with the relentless churn of updates can be challenging. However, it’s a worthwhile exercise, helping companies understand what’s currently happening, what could happen and what you can do to prevent disasters.
Enhance internal processes
With GDPR coming into swing, information security should be at the core of all internal processes. It’s imperative for every business to ensure it has a strong digital use policy, which addresses concerns about business travel, customer data, how it should be categorised and timely responses to security issues.
Some businesses will find they don’t need to implement new technology, they just need to better use what they already have in place and tailor it to their environment. For instance, maybe you already have a firewall in place, but you haven’t necessarily configured it to block all traffic originating in an area notorious for hacking.
If you do decide you need to put new security measures in place, it can be challenging to cut through all the marketing hype, when updating your digital infrastructure and choosing the right security packages for your company.
So, before purchasing, draw up a technology roadmap which coincides with all your company’s overall security needs and processes. Encourage collaboration on this with senior management who manage budgets across other departments.
You can then cross-compare where there are technology gaps in the organisation and see where budget needs to be prioritised or re-allocated to protect vulnerabilities.
Create a healthy culture from the top down
An organisation’s security culture is not something that necessarily grows in a positive way organically. It’s also bigger than just a single event. However, if you create a culture which is sustainable, you can transform security into a lifecycle that generates security returns forever.
Why does an organisation need a security culture? The primary answer is something deep down we all know. In any system, it’s very often our own team members and employees that can be the weakest leak.
Computers do exactly what we tell them, but the challenge lies with the human element and staff need a framework to understand what’s right and wrong when it comes to security processes.
Every individual should understand how to manage their electronic equipment and what to do in web-based scenarios. You should be able to test this knowledge by running security drills.
This means you’ll need to provide regular training for employees on the best I.T and security practices and check they follow through with what they’ve learned.
For example, companies today often send fake spear phishing emails out to employees for training purposes, to see who clicks on the links or attachments and whether they raise any issues to the relevant departments.
Clicking on rogue attachments is one of the principle ways malware invades a company’s network. It’s also one of the most common forms of ‘attack’ an employee will face, so it’s important they know what to do when these situations arise.
Try to make any training relevant to an employee’s life outside the organisation and show them how they can use what they’ve learned to safeguard their personal online lives as well, which will resonate far more effectively.
Make sure training takes place regularly from in-house or external experts and you break it down into manageable chunks. Avoid using too much technical language, which can sometimes leave employees feeling overwhelmed and even more confused, than they were in the first place!
“It takes a lifetime to build a good reputation and only minutes to destroy it…”… is the well-known saying often quoted by businesses, brands and well-versed PRs.
So, don’t make the same error as Uber, who tried to hide an enormous data breach (affecting 57 million customers) for nearly a year before Bloomberg finally broke the story.
The best action, (and more importantly your legal obligation!), is not to keep a security breach under wraps as this will only do more harm than good in the long run.
Customers have every right to know who has access to their data, how it’s being used and whether it’s protected. Transparency should be the central pillar of your internal cyber security policy and this should extend to them as well.
A stricter notification regime is also coming with GDPR, where every qualifying company must report major breaches to a supervisory authority within 72 hours, notify individuals of a breach with a high privacy risk for them and uphold a detailed internal data breach register.
If you’re one of the unlucky businesses to experience a breach, your customers should be told immediately. You need to let them know the estimated date of the breach; deliver a jargon-free summary of the incident; information on the nature of stolen the data and the procedures you’ve taken to prevent further harm.
Remember external partners
Research suggests when companies assess the security and privacy strategies of all suppliers, the likelihood of a breach falls by 20 percent. Correct and thorough oversight pays dividends beyond just compliance benefits.
However, there's been a recent influx of major cyber breaches which stemmed from third-party suppliers. For example; Equifax blamed its giant data breach on a flaw in an externally provided piece of software it was using. The problem only escalates when you think the risks don't always end when a supplier relationship finishes.
Once a company has all the required details about its vendors and which have access to sensitive data, there are several ways to regulate security. You could talk about the option of consistent vendor self-assessments, stipulate the need for customer visits and audits, or ask them to acquire specific cyber insurance.
If your company or an external supplier experiences a data breach, it’s essential to implement a structured response plan, outlining all the possible scenarios and the potential impact each could have.
You must categorise the critical online systems you have to keep running, and you’ll need a strong communication plan to inform customers, partners and the public in an organised and insightful manner before it hits the news desks. Have a single spokesperson and make a script providing answers to likely technical queries.
You also need to ensure the organisation stores, secures and retains all system logs in original forms so they are admissible as evidence.
While there are many benefits to a digital workplace, these do not come without risks and unfortunately, data breaches are now part and parcel of every business community.
However, building a culture of cyber safety into the heart of your corporation can help limit risks and defend your business reputation, so if the worst does happen, everyone across the organisation, from the top down, will be fully prepared.
Adam Louca is chief technologist for security at Softcat.