System Hygiene

Everything starts with a proactive and managed approach to keeping computer systems clean and secure. Having software monitoring desktop machines for intrusions, making sure that all routers and firewalls are configured correctly and running the latest operating systems, ensuring that staff do not plug unknown devices into their machines etc. All of these activities if treated as routine maintenance tasks will stop the basic low level issues from becoming major ones. It’s a small investment in time and money that has a disproportionate effect on keeping your business safe, and like insurance of any type, you’ll be glad you had this approach in the long run.

Planning

Plans are fundamentally useless, as soon as something goes wrong its typical that the incident does not compare with the plan, but, the planning process itself is a vital weapon. If the senior management team understands how to react to a cyber-attack and has a number of documented options available in advance, it can act quickly to stop a problem from escalating. The senior team needs to contemplate all forms of possible attack and create a response for each flavour of incident. Those responses should be made available to the staff and reviewed at regular intervals. Training key staff members on how to respond to an attack is vital.

Risk Profiling

Not all cyber-attacks are created equal. It’s a positive position to be in if a company can recognise patterns of attack and what may have already happened and what comes next. This allows a far greater capability to create a bespoke defence to different problems and know when to act and where to look. Different company digital assets may require vastly different approaches to keeping them secure, most cyber-attacks will not be beaten by a one-size-fits-all approach. Create different risk profiles for different attacks and have a fit for purpose response.

Metrics

During a cyber-attack its most unlikely that you’re going to have the option to work in high levels of detail. Its more fundamental that you act quickly than act precisely. Focus on being able to be agile with your responses using rough figures and estimates rather than precise numbers. It means that your attacker is forced to do the same making the likelihood that the attack will stop and it avoids your response grinding to a halt because of analysis paralysis. Run simulations, record numbers and create ranges that you can recognise and define what response is appropriate.

Risk Mitigation

Your company needs to spend time and money to mitigate the risk of a cyber-attack. Some of these seem common sense and yet a lot of companies still fail to ensure these are in place:

• Training: Make sure all your staff understand their role in cyber security and actively engage with them in discussions around how the company’s protective stance can be enhanced.


• Certification & Compliance: Even if your company is not software or tech focused, make sure that you go through the ISO9001 and ISO27001 certification. Stick to the rules and regularly retest yourself. These standards are there to help you defend your company and its information security.


• Policy & Procedure: Write specific processes and policies for the company to use that enable new habits within the staff to form. Bring Your Own Device policies, rules on portable hard drives, policies on accessing external systems and physical security mantras will all help mitigate risks.

Cyber Insurance

In the modern era it would be remiss for companies that hold personal information or sensitive data to not have cyber insurance. These policies cover the loss of data or information from IT systems or networks. The average cost of a cyber-security breach is £600k - £1.15Million so typically carrying £2.5Million of cover seems a minimum policy amount. There is some good guidance on cyber-insurance cover available from the Association of British Insurers.

Go!

Press the go button and put everything into place. It’s often that plans around cyber-security are left unimplemented because of the “it can’t happen to us” syndrome. If you’ve gone to the extent of the planning, then the implementation should be easy and straight forward. Don’t be the victim of a cyber-attack for the sake taking the last steps of implementing your cyber-security strategy!