It only takes one person to compromise the security of the organisation they are employed by and, statistically, one in 20 emails lead to a successful breach for a cyber criminal to facilitate the theft of a substantial sum of cash directly into their bank account. Organisations need to acknowledge that cyber security is not just an IT issue, it is also a human and processes issue which requires education and awareness of cyber issues across their workforce.
All organisations must carry out a comprehensive assessment of the existing processes and procedures and identify what valuable assets (such as information and infrastructure) need to be protected. The relative importance of each asset and the cyber risk associated with them will influence what steps need to be taken to protect them. When assessing risk, organisations should also consider what potential impact there could be to their reputation, share price or ongoing ability to trade if the company’s assets were accessed, lost, stolen or otherwise compromised.
Incident Management Strategy
In the event that a cyber incident occurs, time will be of the essence. It is therefore important to determine beforehand what to do and who has responsibility for it by setting up an incident response team. The team should include a member from each of HR, technical, data protection, public relations, legal and a member of the board of directors. Training should be provided to the team at its inception and on a regular ongoing basis. By establishing incident management policies and processes, resilience, business continuity, customer, and stakeholder confidence will all be improved.
Employee Education and Awareness
Statistics show that 50% of cyber breaches are due to human error and if employees are not educated on the policies and procedures in place, having them will be useless.
Organisations must embed risk management and cyber security knowledge within its workforce by providing accessible policies and ongoing training that educates them. The training must highlight the potential threats and provide practical guidance on what to look out for so that all employees are aware of their personal security responsibilities to the organisation.
Data protection legislation provides that organisations in the European Union must inform their relevant data protection authority of any security breaches that they suffer, the facts surrounding the breach, its effects, and any action taken by the organisation.
Network and IT Security
The network and infrastructure must be protected by use of anti-malware and firewall defences, intrusion prevention, detection systems and ongoing monitoring and testing of the security. Organisations should pay attention to bespoke systems which can be designed and maintained in-house.