Running a business without a cyber incident strategy is like riding a bike without a helmet. Sure you can probably go pretty far with no worries. But when you do run into trouble, the lack of a cyber strategy is going to cause you extra problems. Suddenly your life – or your business – is at risk.
A strong cyber security strategy is all about making sure that your board and your business is prepared. It’s not a rule book set in stone. It’s a constantly adapting and evolving set of guidelines.
The best cyber security strategies identify opportunities to grow your business while protecting it. They allow board members to stay involved without having to become cyber experts. They create safer pathways for your business to interact with those vital to your success.
Document your approach to cyber security
A well crafted cyber security strategy is as unique as your business. No two strategies are the same. Develop a strategy that suits the size of your business, the industry you operate in, and the risk factors involved. If you don’t handle any payment data and have 5 employees, your strategy will look very different to that of a multinational company.
It can be easy to fall into thinking that you need a large document to cover every tiny detail. However, some of the best security strategies are simple and easy to enact. A complicated document can slow down your team – when a fast response matters. Rather than trying to look at every possible scenario, focus on helping your team to create the response you need. There will always be novel incidents; general guidelines will be more helpful for these than inapplicable walk-throughs.
Once you have your document, think about how to make sure it’s available to the people who’ll need it. Ensure that they know where it is and how to access it. Consider keeping both physical and digital copies; each have their own risk profile. For example, physical copies can be accessed by casual office visitors. However, digital copies could be corrupted by ransomware and made unavailable to staff. Whichever you choose – physical, digital, or both – develop a strategy to keep them secure.
List all important digital assets, access, and security measures
Businesses are filled with data. Here are just a few examples:
- CRM tools.
- Inventory lists.
- ecommerce websites and databases.
- Client financial information.
- Internal databases.
Unauthorised access to sensitive data can destroy customer confidence. We don’t need to look far into the events of 2022 to see how this can impact even the biggest businesses in Australia.
Without a list of all of your digital assets, you don’t have a full picture to work with. Your board of directors need a comprehensive top down view of everything data related. Include at least:
- Sensitive and non-sensitive data.
- Who has access.
- What security measures are in place.
The Cyber Security Governance Principles suggest that all directors ask these questions:
- Who has internal responsibility for the management and protection of our key digital assets?
- Who has access or decision-making rights to our key digital assets? For example, can all customer-facing staff access and change key databases?
- What access to key digital assets is provided to third parties?
- Where are our key digital assets located? Is this still appropriate given identified cyber risks?
- What is the role of external suppliers in hosting and managing key digital assets?
- What is the impact of the loss or compromise of any of our key digital assets?
Periodically review cyber strategy and risk controls
Part of the difficulty with cyber security and data protection is how much everything is always changing. Job roles change, employees come and go, and the bad guys always seem to be one step ahead of technology. This makes staying in the know difficult for even the most tech savvy directors.
Your business has probably undergone some big changes in its lifetime. People joined and moved to different positions within the company. People left. New assets were created. Others fell out of use or became obsolete.
When these changes occurred, your risk controls might not have. An ex-employee might still have an active account somewhere in the system. A new employee might not have all the access needed to do their job. New, important assets aren’t located in secure storage.
Staying on top of all of the ongoing changes is hard, but important. Your board needs an annual review of your data assets. Include a review of the cyber strategy and risk control to make sure that your strategy remains fit-for-purpose.
Run a data review whenever there is a significant change in your organisation, the digital landscape, or major industry threats.
Develop a data governance framework
Cyber security isn’t just about avoiding letting people get inappropriate access to personal and proprietary data. It includes minimising the risk by:
- Only recording data that you absolutely need to.
- Staying vigilant about how and where necessary data is kept.
- Removing data that you don’t need anymore.
Where possible, trim down the data that you collect from customers and employees. If you don’t have it, you don’t have to worry about losing it. For example, if you run an ecommerce site, do you need to collect payment information like credit card details? Payment gateways like PayPal and Stripe have a lot of security infrastructure in place, and can collect and record this information for you. It never needs to be on your servers at all.
Have a strategy for keeping your liability to a minimum by deleting or destroying sensitive data that you don’t need access to. Along with only collecting data that you need, this is key for minimising the amount of data that you need to protect. For example, if a customer’s account has been inactive for 2 years, you might deactivate it and strip any private information from it.
Put together a framework that details:
- The personal data that you store about your customers or employees.
- Copies of any identity documents that you keep.
- Intellectual property that your organisation owns.
- How you store this data.
- Your processes for deleting or destroying sensitive data when it’s no longer needed.
Assess and work on cyber capability and maturity
It’s not bad to recognise that your organisation isn’t fully mature in its cyber security stance. Instead, aim for continuous improvement. Regularly audit your organisation’s capacity to respond to cyber incidents. Make incremental changes to address key weaknesses. Have a plan of attack for improving cyber capability.
Give the board annual reports about your ability and readiness to respond to cyber threats. Include things like:
- Skill sets: How many staff have cyber incident response skills.
- Skill gaps: Any cyber security skills that you don’t have coverage for.
- Infrastructure: Servers, network devices, online platforms, desktop computers, laptops, and mobile devices.
- Software: Current operating systems and key software on your machines.
- Planning: The controls you have in place to handle risk around cyber incidents.
- Future reporting: How and when you’ll report on cyber security strategy.
- Continuity planning: How you’ll ensure the business keeps running through a cyber incident.
- Improvement: Where you need to improve, why, and how you plan to do it.
When the board understands your cyber capability and maturity level, it can lead the organisation to a better, stronger stance.
Educate employees about your cyber strategy
Many companies implement a cyber strategy and data governance framework. Then they… email staff the documents. Unsurprisingly, even the most diligent employees tend to skim these documents at best. A structured training program helps your employees to learn and retain key points that they need to know. Help them to work with you to make your cyber strategy a reality – teach them what they can do better.
About PhishNet
We train people to reduce the risk of a devastating cyber incident.
To learn more about how PhishNet can work with you to train your people to make safe and smart choices contact us today!