Norm presents The Forgotten Middle Brochure - Flipbook - Page 13
12
13
The five steps to effective
cyber risk management.
Know your cyber risk baseline
Before you implement any cyber security improvement
measures, you must first accurately assess how well
protected you are today. Before you can do that, you
need to know what it is that you’re trying to protect.
Every organisation has data assets with varying levels
of sensitivity – financial information, health records,
employee details, etc. And every organisation will rely
on certain systems to operate – an ecommerce business
will be almost wholly reliant on its website, an FMCG will
be unable to deliver without its supply chain systems,
and so on. You will therefore need to identify which of
your systems and data are the most important, and the
potential fallout of a cyber attack which compromises
them. This will tell you which risks you need to prioritise.
Most midsize organisations will have made some
investment in cyber security technologies and tools –
even if that just means that you’ve bought a selection of
products which are managed by an internal IT generalist
or appointed an ICT provider with some basic cyber
security knowledge. Then you need to figure out how well
the investments you have already made are protecting
the assets you care most about. Once you’ve done that,
you have your baseline.
*Our cyber security expert Jim likes a rubber ducky or two in the bath to remind him of work.
Basic hygiene and maintenance
User awareness and training
Many of the most effective cyber security risk
management practices should form part of your
ongoing processes and procedures. Things like
ensuring that employees only have access to the
data and systems they need to do their job and not
allowing family and friends to use corporate devices
are common sense measures and do not require any
additional investments. Similarly, patching and general
maintenance of IT systems isn’t just about protecting
against cyber security attacks, it’s vital to the smooth
running of the business in general. There are several
steps that you can take which don’t cost a lot and
don’t require much manpower which will protect your
organisation against many common threats.
This is fundamental to any effective cyber security
defence. It has been stated many times that your
users are the weakest link, but with the right training
in place your users can become the strongest weapon
in your arsenal. So many cyber attacks rely on human
curiosity or indifference to succeed, so it’s crucial to
give your employees the right cyber safety training on
an ongoing basis, to track their progress and to identify
who might need extra help. A culture of openness
and a “no blame” approach will also encourage your
employees to report anything suspicious and let you
know if they do make a mistake.
What you will need to do is document and communicate
these processes and ensure that you have a way of
checking that they are being followed.