Cyber Security Risk Management: The Ten Step Plan

Once it was only an issue for international big name businesses, but cyber security is now a key risk for every company. The 2015 Information Security Breaches Survey revealed that 90% of large organisations in the UK and 74% of small businesses had a security breach in the previous year, and across all sizes and sectors 59% of UK businesses said they “expected” to see more security incidents in the next year. Those numbers have risen consistently over the last few years, and the most severe breaches are costing companies between £75000 and £3.14 million.

A thorough cyber security risk assessment is crucial, locating any flaws in your organisation’s cyber risk plan so that you can then fix them. It can also help save time and resources as you focus on the specific areas that are important to your organisation. In a recently updated and reissued publication,  The Department for Business, Innovation and Skills and the Communication Electronics Security Group recommended a 10 stage approach to assessing your organisation’s cyber security.

First, you need an Information Risk Management Regime that is embedded across the company, understood and supported by the board and upheld just as seriously as your policies on financial, regulatory and legal risks. Second, you need a “secure configuration” – making sure your ICT systems are kept up to date with the latest security patches and establishing security baselines so that your organisation is only using the most secure possible software and hardware. The next step is establishing a policy on the use of Removable Media within the organisation, limiting what types of removable media are acceptable and establishing mandatory scans on any external drives before they can be used with the corporate system.

One of the most key parts of managing cyber risk is the fourth step, Network Security – making sure that your internal network is suitably protected from the internet, monitoring and filtering traffic to track and prevent any unusual or malicious activity. The fifth step is managing User Privileges, ensuring  everyone who uses the company IT systems only has access to the software and functions they need to do their specific jobs and the sixth is making sure those users are Educated and Aware about IT security risks and how they can avoid making the company vulnerable to attacks.

Stage seven is Incident Management; building an Incident Response and Disaster Recovery capability that covers the full range of Cyber Security Incidents that could happen to your company, training the Incident Management team and thoroughly testing how they would respond if an incident were to occur. The eighth part of the plan is Malware Prevention, protecting all of the hardware across your company with antivirus solutions and continuously scanning for and neutralising any malware originating from web browsing, e-mails, removable media, or anywhere else. Ninth, having policies in place that address the cyber risks arising from any Home & Mobile Working, using Virtual Private Networks, making sure that mobile devices being used are up to the same security standards applied to all of the company’s hardware and training staff to follow security policies while working outside the office.

The final step, which will feed back into all the others, is Monitoring, continuously monitoring all of your IT systems and networks, analysing any unusual activity, reporting this back to the board and altering your policies and procedures as needed.

If you’re concerned about the cyber security of your organisation, Kind Consultancy can supply industry leading permanent and interim Tech Risk professionals to your Risk team, or if you work in Cyber Risk and are seeking career advancement or your next contract, contact Lynsey Moore on 0121 643 2100 or lynsey@kindconsultancy.com for a confidential conversation.

Lynsey Moore

[This post originally appeared on Lynsey’s LinkedIn]

Get in touch