How to stop worrying about cyber security and compliance: Part II
This article is the second in our two-part report designed to provide busy CEOs with a template for mitigating the stresses and risks of cyber security and compliance. Here is part I if you missed it.
Previously we discussed why businesses often procrastinate when it comes to cyber security and regulatory compliance. Now it’s time to enumerate how you can mitigate the risks and sleep better at night.
- Make a Risks-and-Issues Analysis
Every substantial business should maintain a list of risks and issues, with some analysis of the mitigation options. The board should review this document at least annually, and each risk or issue must be owned by an executive with the expertise and time to manage it.
A certain level of risk is of course inevitable. But you need to know what you have, what’s valuable and what’s vulnerable. Documenting the risks, and having an open discussion about them, will drive sensible decisions about how to mitigate risk and take action when and if the worst happens.
Even better, it avoids sweeping issues under the carpet. Instead, you can confront the real business risks, identify a proportionate response, and ensure you are looking after the things that matter.
Proper backup plans, disaster recovery and crisis management plans will flow from these discussions.
- Sort Out Your Cyber Insurance
It’s prudent to consider cyber insurance. But not all cyber insurance is created equal. You need to carefully select an appropriate policy and provider.
The first thing to watch out for is if the provider takes the time to understand your risks and requirements. If they don’t, then they’re simply looking to sell you a policy, and you should walk away.
Next, check the exclusions on the policy. Make sure a member of your board understands the coverage – most importantly, if it covers ransomware payments, recovery costs, and loss-of-business. Remember that cyber insurance may not give you back money that’s stolen from you, that generally requires criminal insurance.
Also, you should learn how claims work with the insurer. If you have to make a claim, will the insurer specify who runs the recovery programme? If so, how quickly can this third party mobilise? If the insurer does not stipulate a third party, don’t wait for an incident to evaluate potential suppliers – identify the best one now.
Ensure that your IT is compliant with the policy. The insurer may impose requirements on your IT, and these requirements may be obscure and complicated. Often the CFO signs the insurance policy without communicating the requirements to the IT team. And the IT team may need to document how they meet the requirements so that the insurer can audit if necessary, otherwise your policy may be invalid!
Finally, are your suppliers’ contracts clear about their liability? And are they appropriately insured?
- Get Behavioural and Awareness Training
The weakest security link in any business is often the people. Some of your staff may struggle to understand the issues or to know what secure behaviours really are. You need to clarify your expectations.
Unfortunately, lots of companies have security protocols that no-one reads. Or perhaps people circumvent the rules with the tacit approval of their managers, who are busy and under pressure to deliver results. For example, if managers are writing passwords on Post-its, or accessing email from insecure home computers, then their subordinates will do the same.
Instead you’ll want to foster a culture of security. For example, is your finance manager empowered to challenge an email that looks like it’s from you calling for an “emergency payment?” How are suppliers’ bank details verified? Is your IT staff empowered to call out poor security practices from senior managers?
We recommend awareness training, which is relatively inexpensive – a few hundred or thousand pounds. A small price to pay compared to the expense of getting hacked!
- Get Cyber Essentials Plus
For most businesses there is a simple route to getting basic security right – certification from the government-sponsored scheme, Cyber Essentials Plus.
Specifically, this scheme identifies the basic technical measures to ensure your equipment is properly looked after, your network properly setup, and access properly controlled.
Most importantly, Cyber Essentials Plus requires all these things to be independently checked. Don’t ask your existing IT supplier to do it, get an independent assessor!
The total cost of this certification should be just a few thousand pounds and take a few weeks from start to finish.
We advocate that every mid-market business attains Cyber Essentials Plus. It certainly isn’t the whole answer, but it’s a big step forward for a lot of companies.
- Do a Penetration Test
A penetration test is when a third party looks for weaknesses in your website. Most companies can have a full, detailed penetration test for just a few thousand pounds.
This is essential if your website includes custom software or any kind of ecommerce services! Poor technical practices can result in custom software being full of holes. The OWASP top 10 is a list of the standard vulnerabilities that almost all hackers focus on – ensure your penetration test includes checks against this list.
Typically, penetration test findings are divided into high, medium and low priority. Address all high- and medium-priority issues immediately. Address low-priority issues on a case-by-case basis.
- Comply with GDPR
The General Data Protection Regulations came into force in Spring 2018 with much fanfare. Since then it’s all gone a bit quiet, and a lot of people are hoping it will go away entirely! But the rules are in force, with high penalties for breach.
The good news is that for the most part, the compliance measures are sensible and worthwhile. And most businesses can organise an expert assessment of their GDPR compliance for a few thousand pounds.
The recommendations can be complicated, and GDPR compliance can be a long process. So you’ll need to plan the work as a series of projects. Someone at board-level needs to have ownership of it, preferably someone both commercial and sensible in their approach.
GDPR compliance can be daunting. But you will make useful steps towards well-managed and well-organised back office systems. Consider it a useful tool quite apart from the legal requirements. In the end, your company will run more efficiently and make better use of its data, which is a valuable asset.
- Comply with ISO27001
ISO27001 is a more serious information security and management standard. Some companies have this standard imposed on them by corporate or government customers.
Either way, if your business is complex or has specific security requirements then ISO27001 provides you with a means to foster a culture of security. For example, if you manage sensitive data or valuable IP; if you want to demonstrate your credentials to demanding corporate clients; or if you plan for your business to offer important IT services, then ISO27001 gives you a means to embed security into every aspect of your business operations.
This is another standard that requires external assessment. Although it may only cost a few thousand pounds, implementing the necessary changes can be complicated and invasive. But that’s why companies brag about their ISO27001 accreditation — it’s a demanding standard and it means something.
Remember: Secure Companies Are More Efficient and Reliable
Let’s emphasize that the above steps are sensible. They will make your business more secure, so that you can your customers can sleep soundly. And in the event of a problem – because there are always problems – you will have mitigated the damage, and your business will recover more quickly, and you can avoid criticisms or accusations of negligence.
One final point: well-maintained systems and security practices will make your business far more effective, profitable and reliable.
Visit our Cyber Security and Compliance Knowledge Centre which includes all content related to this topic.