Cyber attacks significantly risk your system security and data, confidentiality, client relationships, and your organisation’s reputation. As such, cyber security must be at the top of your risk register.
Unfortunately, many firms are under the impression that cyber security is a job for their IT support department. Cybersecurity should be ingrained at all levels of your organisation and not left in the hands of a few IT personnel.
It is the responsibility of executives to protect the firm from cybercrime. Therefore, to ensure you protect your organisation from cybercrime as much as possible, you should ask yourself a few questions.
Eight questions to ask when considering your organisation’s cyber security.
1.Who currently performs and documents your organisation’s cyber security risk assessment?
Conducting a cybersecurity risk assessment is mandatory under the Data Protection Act of 2018. Carrying out this risk assessment is the first line of defence against cybercrime.
The assessment should be carried out periodically by someone experienced in cyber risk management. This expert should be familiar with current attack vectors and methods of entry used against your type of firm, such as hacking email accounts and ransomware. It will also allow you to see where your company is vulnerable in its technology and IT equipment.
However, your cyber risk assessment should not focus solely on technology. A critical vulnerability could be your people and how they use your technology and communicate with customers, suppliers, and other external personnel. Your vulnerabilities may also be in your systems of work or the platforms your people use to conduct their work.
2. Who configures your cyber security?
Once you have assessed your vulnerabilities, it’s time to configure your technology accordingly. This job should be carried out by a cybersecurity professional. Their main aim is to protect you from cyber attacks without disrupting daily operations.
Some cyber security aspects they could address include the following:
- Install/update anti-virus software.
- Establishing firewalls.
- Password updates.
- System back-ups.
- Applying user privileges.
- Personal device controls.
- Limiting access.
- Detection alerts.
They can also provide executives with advice on governance and organisational controls. Ultimately, these will set the cyber security tone for your organisation.
3. How do you meet your legal, professional and regulatory requirements?
Are you confident someone in your IT support department fully understands the legal technicalities of holding and using personal data? Also, are they considering your regulatory responsibilities, ongoing risk management, governance, and operational resilience?
Ultimately, the Board must ensure these legal, professional, and regulatory requirements are carried out. Are you confident your current cyber security provisions have these covered?
4. Who provides cybersecurity risk management awareness training to your staff?
As mentioned above, one of your critical vulnerabilities could be your people. Your staff is not only exposed to malicious actors, but they are also prone to user errors that could leave your systems vulnerable.
Indeed, some security experts estimate that 60% of unauthorised access is due to user error. Therefore, you must have appropriate cybersecurity training in place. Moreover, you are now legally bound to do so.
However, merely implementing training as a “box-ticking” exercise is insufficient. Training should be followed up by verification in the form of simulated attacks, for instance.
Good cybersecurity training can reduce your risk considerably. For instance, following one training session, the number of staff who clicked on a simulated phishing email decreased from 25% to 20%.
5. Have you implemented the correct policies and procedures?
Cybersecurity policies and procedures keep your systems, staff, and clients secure. However, you must ensure you define and communicate these correctly. There is not much point in copying and pasting something from the internet and adopting that as your organisation’s cybersecurity policy.
Implementing a correct cybersecurity policy is now a legal requirement. Your staff needs to agree with your cybersecurity policy and acknowledge as such by signing a cybersecurity staff handbook during training. Doing so ensures your team understands what you expect of them regarding cybersecurity.
6. Are you purchasing security software of limited utility?
Many people believe they can allay their cybersecurity fears by purchasing some anti-virus software. Although you might spend considerable funds on a good product, it is of limited utility.
Security software is just one aspect of cybersecurity. It will rarely solve all of your security issues. Indeed, it can give staff a false sense of security, leaving them more vulnerable to other threats.
7. How do you respond to FCA/client questions about your supply chain, and how do you assess it?
The FCA is increasingly asking organisations about their cybersecurity arrangements. Indeed, clients are becoming more concerned with this issue, and it is now a key partnership consideration according to Forbes.
Your cybersecurity professional can help you respond to these queries. They can also help you proactively by ensuring you check with whom you share your systems and data.
8. How can you ensure your security controls remain appropriate and adequate?
Regarding cybersecurity risk management, you don’t want to mark your own homework! Putting this responsibility onto your IT support people is neither fair nor advisable. Moreover, your professional indemnity insurers will not look kindly upon it when you have a security breach.
Assurance should be ongoing to test and audit your control measures against new and emerging threats. Again, threats’ widespread impact and likelihood have made cybersecurity assurance a legal obligation.
Conclusion
You may have thought your IT support department covered your cybersecurity risk issues. Hopefully, this article will have informed you why this should not be the case.
Ultimately, cybersecurity is a board-level responsibility. It should be part of your organisation’s culture if you are to protect your systems, staff, and clients from malicious actors.