In the third article of our series with Cyberscale, Darren Chapman talks us through the identification of cyber security risks and how you can mitigate the risk to your business.
- How do cyber risks arise in a business?
- How can businesses mitigate their cyber security risks?
- The ultimate line of defence?
Building a cyber security strategy for your organisation needs to be approached pragmatically, with a focus on understanding the risks you face from cyber crime. It is highly likely, with the threat landscape being so broad and fast moving, that a cyber attack on your business will happen and will have a significant impact.
As a consequence of these ever-increasing threats, cyber insurance rates are soaring and are accompanied by higher policy excesses and requirements for policyholders to improve management of data and network security. If insurers consider these to be inadequate, cyber insurance is often unavailable.
It is key to ensure that your organisation is aware of what cyber risks you are exposed to, and to develop appropriate measures to mitigate them before an exposure becomes real. Beyond this, the risk appetite of an organisation should accept that there will always be a certain level of exposure present when operating, but having a robust response plan embedded in the organisation allows for swift action.
Risk presents itself when policies or processes are not adhered to. Statistics show that human error accounts for 82% of cyber breaches which includes social attacks, errors, and misuse; 62% of cyber breaches emanate from ‘threat actors’ purporting to be a genuine customer or supplier.
Protection from cyber attacks is often focused on securing IT systems, protecting devices, and tightening processes. Whilst these are vital elements of an effective security strategy, staff are a critical component of risk identification that must not be overlooked. Staff at all levels can present a significant risk for businesses both due to the increased likelihood of a vulnerability and the multiple ways in which their actions can lead to a breach.
A lot of time is invested in ensuring that internal or proprietary systems are kept as safe as possible from issues such as email compromise, phishing campaigns, and ransomware attacks, but all businesses operate within a supply chain that encompasses a wide range of systems providers enabling them to function effectively. By engaging with third parties an organisation is introducing additional risk to its operations. This is arguably unavoidable as the proliferation of third-party providers enables businesses to deliver their core services without the need to create these ’in-house’. But, this single point of access through an external provider to disrupt many is an attractive prospect for cyber criminals as they can, potentially, disrupt many businesses at the same time through one single attack.
It’s important to understand that cyber security risk management is an ongoing process and as many businesses do not have dedicated cyber security resource it can be useful to work with an experienced specialist who can conduct a security audit or assessment.
Once the risks have been clearly identified, they should be addressed in order of the potential severity of repercussions from a cyber attack; tackling them all at once is not a realistic approach. Mitigation of cyber security risks comes in many forms, which will evolve as the business and threat landscape do. Measures to take include:
- Implementing a range of technical and systems solutions, including antivirus software, firewalls, a password manager, and multi-factor authentication.
- Regular staff training on cyber security risks and procedures.
- Ensuring that there is an incident response plan in place, that communication around risks and security is maintained, and regular reviews of security measures are conducted.
- Review your supply chain exposures and the level of security they have in place.
- Review website and infrastructure exposures.
- Establish sensible security controls to make it easier to get cyber insurance and at the same time satisfy applicable contractual exposures such as intellectual property rights, confidentiality and GDPR requirements. This is to protect against liabilities, increased costs and loss of income and reputation.
- Put in place business continuity arrangements, testing, and back-up provisions.
- Ensure good cyber hygiene – Cyber Essentials, or similar certifications, demonstrates an organisation has appropriate security and defences in place to protect against common cyber-attacks and security breaches.
- Monitor networks. Software solutions are available which will help to analyse data and identify threat patterns which will be automatically identified and removed to contain potential threats.
- Regular testing of defence measures is important to maintain cyber security, the key to having confidence in the security of your systems is through regular ‘penetration testing’.
Cyber insurance should be regarded as an important business tool. All businesses store, process, or manage data and insurance will provide essential protection from the ramifications of a cyber attack. Cyber insurance covers your business from the regulatory, financial, and reputational losses suffered from a cyber attack and works to restore your business to the position it was in prior to the loss. To discuss how cyber insurance can protect your business, contact us on 01603 218000.
CyberScale are a Cyber Security Consultancy and Training provider. They provide pragmatic IT Security and Data Protection for businesses throughout the UK. Cybersecurity and data protection can be confusing and hard to keep up with, especially without dedicated staff. CyberScale will translate threats and regulations into what’s relevant to your business, and explain everything in a clear, non-technical way. Cyber Security is complex so making it simple is key, so you can concentrate on running your business. To find out more, contact CyberScale on 01603 339550 or email [email protected].