Headline grabbing cyber attacks, you know the ones, “multi-national company ‘X’, has been hit by ransomware and has been demanded to pay a gazillion bitcoins” can lull the rest of us with fairly regular sized businesses, into a false sense that cyber-security isn’t really necessary.
“We’re an SME” I hear you say, “we’re not cash rich, who would waste their time targeting us?”
It’s a common and mistakenly held view, but just because horror stories concerning large organisations are the ones you tend to hear about; it doesn’t mean you’re not a target. You don’t have to take our word for it.
There isn’t one style of cyber-attack and there isn’t one type of hacker – we’ve got a blog on this here. It’s not just your ability to pay big ransoms that is attractive to hackers. Your intellectual property or your customer’s personal data both have a value to someone out there and there’s a market for most data sets on the dark web.
It could just be that your business gets swept into an attack that’s not actually targeted at you. You could be part of a supply chain servicing a target company at the top and you are collateral damage. You may also be targeted by a hacker just for ‘fun’ or to test their abilities or even because you work in an industry they don’t like.
As well as making economic sense, cyber security preparedness is a legal requirement when it comes to complying with regulations such as the GDPR or DPA18. So, what now? The next step is to decide whether to hire in cyber security expertise or to use a consultant.
In this blog, we cover some of the things that a cyber security consultant or in-house security manager might do for your business.
What is cyber security?
Cyber security is the protection of information systems from unauthorised access and malicious intent. It involves specifically the protection of all interconnected networks, systems and devices which we use to process, access and store information.
Cyber security and information security are often seen as the same thing, but information security is the wider topic. Whereas cyber security is focussed on internet connected security, information security also covers HR and supply chain considerations, legal and compliance issues, insider threats, physical security and
Why is cyber security important?
Cyber threats come in many forms and levels of severity and they enter organisations through a range of pathways. Take a moment to think about the technology your employees are currently using; mobile phones, laptops for starters. Where do they use these? From home? whilst travelling? Do they use hotel Wi-Fi or mobile hotspots in cafés or on trains? Do they access your servers whilst using these networks? Do they download apps for personal use on these devices? How strong are their passwords? Once you begin to scratch the surface, it can quickly become apparent how vulnerable your business systems and data could be.
What does a cyber security consultant do?
A cyber security consultant will take a holistic approach to your organisation’s cyber security preparedness. This mean reviewing your security strengths and weaknesses through your People, Processes and Technology at every level to clarify the current level of risk your company is exposed to and then work with you to put a strategy in place to make you more secure and to ensure you are compliant with regulations such as GDPR. As part of this process, they will:
Create your security strategy – This involves identifying your data assets, reviewing your existing security controls and creating security improvement plans, translating this for the Management or Board if you have one, to get buy-in, agreement and budget.
Identify and manage security risk – Whether your business is a multinational or an SME, there will always be a finite level of expenditure for security. It’s impossible to fund every security measure so your cyber security consultant will take a risk-based approach. This means identifying the highest risk areas and advising on the required security measures in response to the risk level. This involves identifying assets, subsequent threat levels and assessing the impact of a security incident. This ensures that your most valuable and sensitive assets are prioritised, risks are known and proactively managed according to their potential impact and helps you meet key compliance obligations.
Maintain assurance – The threat landscape is constantly evolving, and this means that cyber security is an on-going process. After the initial set up is complete, your cyber security consultant will be able to monitor and review your risk. This will involve a regular programme of, vulnerability testing, penetration testing, employee training and security assessments.
Ensure continued governance – As part of compliance and accountability, cyber-security should fall under your organisation’s governance framework. The Board need to be kept up to date with all relevant information so that they are equipped to make good security decisions. A cyber security consultant will lead this process by reporting the results of audits, incidences and incidence responses and pinpoint any improvements required.
Implement compliance – In order to meet specific regulations and standards, a cyber security consultant will set up and manage compliance management systems and put together the policies and processes needed.
Manage security vendors – As well as identifying the best security technology for your needs, taking into account all the hardware and software your business uses, a cyber security consultant will research and manage the procurement process.
If you need help on where to start with your cyber-security needs, contact us for a friendly, no-obligation chat.