€22,500 was the average ransomware demand from SMEs in Ireland in 2021.
As 2022 begins, it is a time to reflect and a time to look forward. Cybersecurity management should be on everyone’s to-do list this year. An important aspect of this is to create a robust cybersecurity strategy framework as the baseline for making your organisation more secure.
A recent publication from PwC that surveyed over 3000 businesses, stresses that a cybersecurity strategy is an “urgent business priority”. One of the reasons for this urgency includes a lack of confidence in where to spend budget, with only 38% of businesses feeling confident they are spending budget in the right areas. This is in a climate where according to the research, 58% of organisations experienced an attack on cloud services that resulted in disrupted critical business services and/or a ransomware attack.
With continued remote working and cloud computing, even small businesses are at risk of a cyber-attack. Having a sound cyber security strategy framework allows any sized organisation to optimise its budget and de-risk data breaches and other cyber-attacks.
Creating a cyber security strategy framework is a process that requires alignment with the overall business goals. How to create one can be crystallised into six core steps.
The importance of a strong cyber strategy to your business?
All aspects of a business require good planning to optimise the outcome. Handling the onslaught of cyber security attacks is no exception. A cybersecurity strategy is a plan of action that improves the resilience and security of an organisation. The framework that this strategy sits upon reflects the company assets and how best to protect them. This plan is an ongoing exercise that requires regular updating to reflect changes in assets, technology upgrades, and the cyber security landscape.
The creation of a cyber security strategy framework is a process that helps you to focus on what you need and how to make it work for your business.
Alignment with business objectives and goals is important. Security then becomes part of your business culture, not an add-on.
Companies of all sizes, and across all sectors, can benefit from a cyber security strategy framework to optimise how they protect their organisation’s resources. By having this type of in-depth view of your security needs your organisation can take a proactive approach to security.
Six key steps in developing a cyber security strategy
In an era where the World Economic Forum rated cyber-attacks as one of the top global risks, having a way to prevent these attacks is critical. Creating and implementing a cyber security strategy framework may take time and effort but it is worth it. The discipline creates a secure and resilient organisation.
The following six steps encompass the main components needed to inform, develop, and implement a cyber security strategy.
Step one: Know your assets
Do you know every asset that connects to your organisation?
Your assets extend to anything that could be damaged or exposed by a cyber-attack or accident. Typically, this includes data, devices, and peripherals. Begin this step by assessing your assets across the expanded network – this is likely to include remote worker assets and data.
The resulting inventory is then used as a basis to classify these assets. The classification categories can be proprietary to your organisation or based on classification categories described in security standard frameworks such as ISO27001.
The lifecycle of data assets, where data resides, how and where it moves to, and how it is used, should also be recorded to help inform later steps in the process of developing a cyber security strategy framework.
Step two: Know the risks
A security risk assessment of the assets in step one identifies areas of vulnerability. This can be mapped to the security classification of the asset to help evaluate the type and level of security needed as you move through the framework development process.
A Business Impact Assessment (BIA) is useful in identifying asset owners and the impact a cyber-attack would have on business operations and productivity. A BIA should consider the confidentiality, integrity, and availability of data and other assets.
Step two forms the basis of a risk management plan that informs other areas of a cyber security strategy framework.
Step three: Build strong security controls and standards
Your company security posture and maturity level should align with security controls and standards. Examples of such controls include:
- Cyber Essentials and Cyber Essentials Plus: a UK government-backed scheme that takes an organisation through a set of best practise security controls to protect an organisation and its data. Cyber Essentials is self-certified, whereas the Cyber Essentials Plus option requires technical verification to assign certification
- ISO/IEC 27001: this is a global security standard based on information security best practises. Certification to ISO27001 shows adherence to this standard.
- Industry-specific, e.g., PCI-DSS: various data protection regulations offer an insight into the types of controls needed to protect specific data types, e.g., financial data, health data, consumer personal data, etc.
Step four: Spend your budget in the right areas
Seek expert advice on how to maximise the effectiveness of your cybersecurity spend.
A significant issue is lack of confidence in where to best spend a security budget; this is especially interesting as budgets are expected to increase. Optimising budget spending is essential to ensure buy-in from C-level and board, and to ensure that any security controls are the right ones for the job. During step four, the previous information gathered during the initial three steps will help you to decide what level of budget you need and where best to spend it.
Resources are an area that comes up during the cyber security strategy framework development phase. Security skills are at a premium, with industry consortium ESG and ISSA reporting that over half of organisations are impacted by a shortage in cybersecurity skills. One of the changes in the security market space has been the maturing of Managed Services Providers (MSPs) who now offer security products and services on a subscription model. This allows even small organisations to afford best of breed security solutions. The use of an MSP may be a good way to stretch budgets. MSPs can also offer expert advice on what types of solutions work best for given security scenarios.
Step five: Do more with less
By step five you will be ready to assess the technologies and measures needed to implement your cyber security strategy. Begin by taking an inventory of what solutions are already in place and what measures, such as security awareness training, you employ.
Do you have too much technology? Technology bloat can be as problematic as the wrong type of technology, causing visibility issues and facilitating human error.
Create a gap analysis of missing measures and/or changes needed to configure existing measures that more closely reflect your data classification and BIA.
Look to use a holistic security approach that proactively mitigates security threats. Security is everyone’s responsibility and employees should be trained in security hygiene. Phishing simulations can help to mitigate the risk of social engineering and phishing initiated cyber-attacks. Engage employees in this training by encouraging them to report threats.
From this analysis, you can determine any additional measures and solutions required and where they should be implemented. The information gathered in steps one to four helps to optimise step five and ensures you choose the right tools for your business.
Step six: Implement your strategy and keep it aligned to the business
The final but vital step in your cyber security strategy framework is in the implementation of your decisions. Step six brings steps one to five together to strengthen your security and make your organisation resilient against a cyber-attack and accidental data exposure.
Step six allows you to develop the security requirements needed to meet the business goals and align with core security needs.
Your implementation plan must also involve remediation and should be assigned to specific persons. These persons may involve third-parties if you use consultants or an MSP.
Importantly, because the cybersecurity landscape, assets, and technology change over time, your cyber security strategy framework should be regularly re-assessed to ensure optimisation of measures and approaches.
A security strategy framework is a critical part of a modern business. Security is everyone’s responsibility, and a cyber security strategy framework must reflect this.
A recent ISC Cybersecurity Workforce study highlighted the need for an additional 10,000 cybersecurity professionals to address the skills gap in Ireland.
With the extraordinary skills gap in mind, significant challenges lie ahead in the development and implementation of a strong cybersecurity framework. This is a process that needs to be done in a systematic and informed way to ensure success.
This framework is critical to your organisation as it forms part of a proactive approach to dealing with one of the world’s greatest challenges, cybersecurity threats.
Enterprise Defence are award winning experts in developing effective cyber strategies that will help transform your cyber confidence.