5 key recommendations for improving your organisation’s Cyber Resilience.

Professionals in the cyber security field have identified a multi-step process to cyber resilience. The steps are as follows: Identify, Protect, Detect, Respond and (if need be) Recover. The mindset of ‘it won’t happen to us’ or ‘our data is of no value to hackers’ is a risky one and can lead to devastating results.

No matter how big or small, flat or hierarchical and the operational sector, each organisation needs to strive to increase its Cyber Resilience. Below we will present five key recommendations for improving your organisation’s Cyber Resilience.

Allocate appropriate financial resources to activate your Cyber Security strategy

Cyber security should be given priority in the allocation of budgets in the organisation’s annual budgeting exercise. Devoting strong budgets is a sign that leadership takes cyber and information security seriously and that a proactive approach is endorsed. An effective cyber security program backed by the required resources will help any organisation run smoother with less data breaches, business continuity issues due to attacks and with internal stakeholders following best practices which in turn leads to avoidance of human errors.

A common misconception is that cyber security is the IT department’s responsibility. Today, it should be integrated in the organisation’s culture and each employee should take ownership of cyber security and be responsible for cyber security as well. The role of a CISO is becoming increasingly important, at C-level to influence the whole organisation and set the direction for all the layers within an organisation to follow. With the event of remote working and satellite offices around the world, security measures need to be priority list toppers.

Conduct Regular Cyber Awareness Training

Increasingly cyber criminals are tailoring their attacks to exploit human error. Phishing and ransomware, are two examples of attacks that pose a big threat to organisations through human committed errors. Let’s take two scenarios, an employee unable to spot a scam attack when in receipt of a phishing email and an employee downloading and running a file attached to an email without checking the sender and the contents of such an email. Both instances could have easily been avoided should the receiver be educated on such threats and on what to look for to identify malicious emails.

Both cases can lead to the whole organisation risking its data being breached or systems frozen and held at ransom. Situations that can lead to reputation damage, adverse media coverage, financial losses and licence revocation. Repercussions can be devastating. In addition to the inability to spot incoming malicious attacks (mostly in the form of emails and attachments), your workforce can misuse their privileges, mishandle data or take security measures (and obligations!) lightly.

Technological solutions such as firewalls and/or anti-viruses will not solve such weaknesses in an organisational ecosystem. Staff needs to get the training they need. Training will help them better understand cyber threats and the possible repercussions. Having a workforce that is fully trained and fully conversant with the latest cyber security updates makes your day-to-day business operations run more efficiently. It will also pose less risk with external stakeholders such as clients and regulators.

Cyber awareness training is not a one time thing (say during employee induction training) but a repeat event, since threats are evolving at a very fast pace.

Run thorough risk assessments

When any organisation is compiling its cyber security strategy and organising its cyber security roll-out programme, a thorough risk assessment needs to be conducted, whereby risks are identified and the degree of impact and likelihood (possibility) of happening are attributed to each individual risk. Risks change, therefore risk assessments need to be done on a regular basis. Different scenarios are to be analysed, all the organisation’s digital surface needs to be taken into account, and liabilities identified that can be a byproduct of threats coming to fruition (malicious actors are persistent!).

With an accurate risk assessment, the organisation would be able to manage, control and mitigate risk accordingly. A well-prepared risk assessment, will make it impossible for an organisation to ignore the threats posed by potential vulnerabilities. The main risks here are not being able to identify one or more risks, not being able to notice change in risks and finally not attributing the right action/efforts/attention to the various risks. If a risk has a ‘high impact’ and high probability of happening, it would require urgent attention as it can lead to highly-negative consequences.

Weaknesses and vulnerabilities need to be addressed as they can cause significant damage. Risk needs to be managed in all facets of the organisation and the implementation of defense measures will cushion the likelihood of risks materialising. Risk is always tied to a degree of uncertainty, thus analysis and data observance are key. As a guideline one may want to refer to ISO 27001, CIS Benchmarks and PCI DSS (for the card payment industry). Engaging external experts to conduct risk assessments, may bring a more independent view to the table. Making it an Integral part of an organisation’s corporate governance and having an internal audit committee can help enforce policies and adherence to procedures and best practices.

Review Policies and Procedures

Understanding the risk linked to cyber attacks is the start of the journey. Policies and procedures help set the standard and expected behaviour and offer guidelines as to what is expected of employees vis-a-vis cyber security. Be prepared for the quasi inevitable and fortify your organisation with these policies and procedures. They will serve as your rules for practices such as handling of data. A policy will include the overview of the company’s principles whereas the procedure will go into the ‘how’, ‘what’ and ’when’ level of detail. Always ensure that you proactively assess risks, detect threats and help employees and stakeholders understand their role.

Secure your investments, your assets and your interactions appropriately. Policies are to be well communicated and explained and procedures enforced, to ensure acceptable behaviour is registered throughout. Common policies include ones related to remote access, password creation, email handling, access rights to repositories on the company’s systems and management of workstations. Explaining security obligations is of paramount importance. Instances such as installing third-party software without the required permission or using your work email to subscribe to unrelated (to work) services need to be managed via policies and administered through procedures.

Constantly Assess and Improve

Cyber security is an ever-evolving area and organisations must regularly review its policies, strategy and practices to ensure they are up to speed with the latest threats. Hackers are increasingly using sophisticated ways and technologies to get their hands on sensitive information and systems. Companies are to build a cyber security framework that is structured in such a way that it can be updated through iterations of change on a regular basis. It directly hardens an organisation’s cyber resilience.

Running regular penetration testing is a practical way to constantly assess systems, applications, physical facilities and data’s security stature. An innovative approach to improve the defense against the opening and actioning of phishing emails is to run ongoing phishing emails emulations, wherein the social engineering attacks using email are simulated by a trusted cyber security partner to identify weak points inside an organisation.

Be secure. Be vigilant. Increase Cyber Resilience today! Get in touch with one of our experts to safeguard your systems, applications, data and people.