Information is critical for any organisation trading in today’s digital economy. The ability to conduct business using IT systems in a timely, robust and secure manner is taken for granted. However, many organisations find it difficult to determine and then implement an appropriate security posture in an environment of constant and growing cyber threats.
The impact of cyber attacks on any organisation cannot be underestimated or ignored. At one end of the scale, an overly prescriptive security posture is expensive to implement and puts constraints on business-agility. Conversely, a laissez-faire approach will risk compliance related fines, data breaches, brand damage and loss of shareholder and market confidence. Moreover, believing that cyber security is a technology matter and a problem for IT managers will hamstring an organisation. Why? Because it fails to recognise that people, their awareness, attitudes and actions, are the biggest single factor in cyber security. Human error, human weakness and human mistakes are often the chink in your organisation’s security.
For any organisation underpinned by IT systems and working with customer data it is vital that:
- Information security risk is known, managed and mitigated.
- Senior managers and staff all understand that cyber attacks are inevitable, they are happening all the time and that your company is no exception.
- Cyber incidents need to be anticipated, detected, defended against and proactively managed.
- Management must understand that security incidents are inevitable and should be accepted as something that will happen and should therefore be prepared for.
Your people can be both your weakest link in exposing your company to risk, but conversely, your strongest defence, if mobilised and trained, in ensuring you manage cyber security as effectively as possible. But how can review your situation and embark on a better cyber security path?
Fundamentally, this is a matter which cannot be compartmentalised in the IT department. It is a Board level matter enacted by the Chief Information Security Officer (CISO) to develop a proportionate, risk-led, cyber security initiative that supports your business objectives.
From the outset your cyber security initiative should:
- Baseline current risks and identify emerging threats and patterns.
- Reduce future risk in a set of distinct work packages to chunk-down your exposure to tolerable levels.
- Establish information security as part of everyone’s ‘day job’, thereby creating a whole-workforce security and brand protection team.
- Create a centre of excellence business function within the organisation as the ‘go to’ place for advice, reporting and risk escalation and oversight.
With these elements in place your organisation will be able to evolve and improve its cyber security as part of an ongoing remediation programme.
At Xpertex we’ve specialised in Cyber & Information Security since 2006. Our clients are typically government, commercial organisations and professional bodies. As a guiding principle, Xpertex immerses itself in understanding its customer’s business. We focus on best appreciating an organisation’s people, culture and processes before recommending any technology. Offering a range of services including Cyber Risk Assessment; Phishing Vulnerability Assessment; CE/CE Plus Assessment; External Vulnerability Scan; Network Security Review; ISO27000 Audit and other advisory based services, Xpertex is ideally positioned to help your organisation.